2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Marc Jacobsen 1999.
8 * Copyright (C) Jeremy Allison 2001-2002.
9 * Copyright (C) Jean François Micouleau 1998-2001.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * This is the implementation of the SAMR code.
33 #define DBGC_CLASS DBGC_RPC_SRV
35 extern fstring global_myworkgroup
;
36 extern pstring global_myname
;
37 extern DOM_SID global_sid_Builtin
;
39 extern rid_name domain_group_rids
[];
40 extern rid_name domain_alias_rids
[];
41 extern rid_name builtin_alias_rids
[];
44 typedef struct _disp_info
{
46 uint32 num_user_account
;
47 DISP_USER_INFO
*disp_user_info
;
49 uint32 num_group_account
;
50 DISP_GROUP_INFO
*disp_group_info
;
54 /* for use by the \PIPE\samr policy */
56 uint32 status
; /* some sort of flag. best to record it. comes from opnum 0x39 */
63 struct generic_mapping sam_generic_mapping
= {SAMR_READ
, SAMR_WRITE
, SAMR_EXECUTE
, SAMR_ALL_ACCESS
};
64 struct generic_mapping dom_generic_mapping
= {DOMAIN_READ
, DOMAIN_WRITE
, DOMAIN_EXECUTE
, DOMAIN_ALL_ACCESS
};
65 struct generic_mapping usr_generic_mapping
= {USER_READ
, USER_WRITE
, USER_EXECUTE
, USER_ALL_ACCESS
};
66 struct generic_mapping grp_generic_mapping
= {GROUP_READ
, GROUP_WRITE
, GROUP_EXECUTE
, GROUP_ALL_ACCESS
};
67 struct generic_mapping ali_generic_mapping
= {ALIAS_READ
, ALIAS_WRITE
, ALIAS_EXECUTE
, ALIAS_ALL_ACCESS
};
69 static NTSTATUS
samr_make_dom_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *d_size
);
72 /*******************************************************************
73 Checks if access to an object should be granted, and returns that
74 level of access for further checks.
75 ********************************************************************/
77 NTSTATUS
access_check_samr_object(SEC_DESC
*psd
, NT_USER_TOKEN
*nt_user_token
, uint32 des_access
,
78 uint32
*acc_granted
, const char *debug
)
80 NTSTATUS status
= NT_STATUS_ACCESS_DENIED
;
82 if (!se_access_check(psd
, nt_user_token
, des_access
, acc_granted
, &status
)) {
83 if (geteuid() == sec_initial_uid()) {
84 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
86 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
87 status
= NT_STATUS_OK
;
90 DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n",
97 /*******************************************************************
98 Checks if access to a function can be granted
99 ********************************************************************/
101 NTSTATUS
access_check_samr_function(uint32 acc_granted
, uint32 acc_required
, const char *debug
)
103 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
104 debug
, acc_granted
, acc_required
));
105 if ((acc_granted
& acc_required
) != acc_required
) {
106 if (geteuid() == sec_initial_uid()) {
107 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
108 debug
, acc_granted
, acc_required
));
109 DEBUGADD(4,("but overwritten by euid == 0\n"));
112 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
113 debug
, acc_granted
, acc_required
));
114 return NT_STATUS_ACCESS_DENIED
;
120 /*******************************************************************
121 Create a samr_info struct.
122 ********************************************************************/
124 static struct samr_info
*get_samr_info_by_sid(DOM_SID
*psid
)
126 struct samr_info
*info
;
131 sid_to_string(sid_str
, psid
);
133 fstrcpy(sid_str
,"(NULL)");
136 mem_ctx
= talloc_init_named("samr_info for domain sid %s", sid_str
);
138 if ((info
= (struct samr_info
*)talloc(mem_ctx
, sizeof(struct samr_info
))) == NULL
)
142 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str
));
144 sid_copy( &info
->sid
, psid
);
146 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
148 info
->mem_ctx
= mem_ctx
;
152 /*******************************************************************
153 Function to free the per handle data.
154 ********************************************************************/
155 static void free_samr_db(struct samr_info
*info
)
159 /* Groups are talloced */
161 if (info
->disp_info
.user_dbloaded
){
162 for (i
=0; i
<info
->disp_info
.num_user_account
; i
++) {
163 /* Not really a free, actually a 'clear' */
164 pdb_free_sam(&info
->disp_info
.disp_user_info
[i
].sam
);
168 info
->disp_info
.user_dbloaded
=False
;
169 info
->disp_info
.group_dbloaded
=False
;
170 info
->disp_info
.num_group_account
=0;
171 info
->disp_info
.num_user_account
=0;
175 static void free_samr_info(void *ptr
)
177 struct samr_info
*info
=(struct samr_info
*) ptr
;
180 talloc_destroy(info
->mem_ctx
);
183 /*******************************************************************
184 Ensure password info is never given out. Paranioa... JRA.
185 ********************************************************************/
187 static void samr_clear_sam_passwd(SAM_ACCOUNT
*sam_pass
)
193 /* These now zero out the old password */
195 pdb_set_lanman_passwd(sam_pass
, NULL
);
196 pdb_set_nt_passwd(sam_pass
, NULL
);
200 static NTSTATUS
load_sampwd_entries(struct samr_info
*info
, uint16 acb_mask
)
202 SAM_ACCOUNT
*pwd
= NULL
;
203 DISP_USER_INFO
*pwd_array
= NULL
;
204 NTSTATUS nt_status
= NT_STATUS_OK
;
205 TALLOC_CTX
*mem_ctx
= info
->mem_ctx
;
207 DEBUG(10,("load_sampwd_entries\n"));
209 /* if the snapshoot is already loaded, return */
210 if (info
->disp_info
.user_dbloaded
==True
) {
211 DEBUG(10,("load_sampwd_entries: already in memory\n"));
215 if (!pdb_setsampwent(False
)) {
216 DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n"));
217 return NT_STATUS_ACCESS_DENIED
;
220 for (; (NT_STATUS_IS_OK(nt_status
= pdb_init_sam_talloc(mem_ctx
, &pwd
)))
221 && pdb_getsampwent(pwd
) == True
; pwd
=NULL
) {
223 if (acb_mask
!= 0 && !(pdb_get_acct_ctrl(pwd
) & acb_mask
)) {
225 DEBUG(5,(" acb_mask %x reject\n", acb_mask
));
229 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
230 if (info
->disp_info
.num_user_account
% MAX_SAM_ENTRIES
== 0) {
232 DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
233 pwd_array
=(DISP_USER_INFO
*)talloc_realloc(mem_ctx
, info
->disp_info
.disp_user_info
,
234 (info
->disp_info
.num_user_account
+MAX_SAM_ENTRIES
)*sizeof(DISP_USER_INFO
));
237 return NT_STATUS_NO_MEMORY
;
239 info
->disp_info
.disp_user_info
=pwd_array
;
242 /* link the SAM_ACCOUNT to the array */
243 info
->disp_info
.disp_user_info
[info
->disp_info
.num_user_account
].sam
=pwd
;
245 DEBUG(10,("load_sampwd_entries: entry: %d\n", info
->disp_info
.num_user_account
));
247 info
->disp_info
.num_user_account
++;
252 /* the snapshoot is in memory, we're ready to enumerate fast */
254 info
->disp_info
.user_dbloaded
=True
;
256 DEBUG(12,("load_sampwd_entries: done\n"));
261 static NTSTATUS
load_group_domain_entries(struct samr_info
*info
, DOM_SID
*sid
)
264 DISP_GROUP_INFO
*grp_array
= NULL
;
265 uint32 group_entries
= 0;
267 TALLOC_CTX
*mem_ctx
= info
->mem_ctx
;
269 DEBUG(10,("load_group_domain_entries\n"));
271 /* if the snapshoot is already loaded, return */
272 if (info
->disp_info
.group_dbloaded
==True
) {
273 DEBUG(10,("load_group_domain_entries: already in memory\n"));
277 if (!enum_group_mapping(SID_NAME_DOM_GRP
, &map
, (int *)&group_entries
, ENUM_ONLY_MAPPED
, MAPPING_WITHOUT_PRIV
)) {
278 return NT_STATUS_NO_MEMORY
;
281 info
->disp_info
.num_group_account
=group_entries
;
283 grp_array
=(DISP_GROUP_INFO
*)talloc(mem_ctx
, info
->disp_info
.num_group_account
*sizeof(DISP_GROUP_INFO
));
285 if (group_entries
!=0 && grp_array
==NULL
) {
287 return NT_STATUS_NO_MEMORY
;
290 info
->disp_info
.disp_group_info
=grp_array
;
292 for (i
=0; i
<group_entries
; i
++) {
294 grp_array
[i
].grp
=(DOMAIN_GRP
*)talloc(mem_ctx
, sizeof(DOMAIN_GRP
));
296 fstrcpy(grp_array
[i
].grp
->name
, map
[i
].nt_name
);
297 fstrcpy(grp_array
[i
].grp
->comment
, map
[i
].comment
);
298 sid_split_rid(&map
[i
].sid
, &grp_array
[i
].grp
->rid
);
299 grp_array
[i
].grp
->attr
=SID_NAME_DOM_GRP
;
304 /* the snapshoot is in memory, we're ready to enumerate fast */
306 info
->disp_info
.group_dbloaded
=True
;
308 DEBUG(12,("load_group_domain_entries: done\n"));
314 /*******************************************************************
316 ********************************************************************/
318 NTSTATUS
_samr_close_hnd(pipes_struct
*p
, SAMR_Q_CLOSE_HND
*q_u
, SAMR_R_CLOSE_HND
*r_u
)
320 r_u
->status
= NT_STATUS_OK
;
322 /* close the policy handle */
323 if (!close_policy_hnd(p
, &q_u
->pol
))
324 return NT_STATUS_OBJECT_NAME_INVALID
;
326 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__
));
331 /*******************************************************************
332 samr_reply_open_domain
333 ********************************************************************/
335 NTSTATUS
_samr_open_domain(pipes_struct
*p
, SAMR_Q_OPEN_DOMAIN
*q_u
, SAMR_R_OPEN_DOMAIN
*r_u
)
337 struct samr_info
*info
;
338 SEC_DESC
*psd
= NULL
;
340 uint32 des_access
= q_u
->flags
;
344 r_u
->status
= NT_STATUS_OK
;
346 /* find the connection policy handle. */
347 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void**)&info
))
348 return NT_STATUS_INVALID_HANDLE
;
350 if (!NT_STATUS_IS_OK(status
= access_check_samr_function(info
->acc_granted
, SAMR_ACCESS_OPEN_DOMAIN
,"_samr_open_domain"))) {
354 /*check if access can be granted as requested by client. */
355 samr_make_dom_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
356 se_map_generic(&des_access
,&dom_generic_mapping
);
358 if (!NT_STATUS_IS_OK(status
=
359 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
360 des_access
, &acc_granted
, "_samr_open_domain"))) {
364 /* associate the domain SID with the (unique) handle. */
365 if ((info
= get_samr_info_by_sid(&q_u
->dom_sid
.sid
))==NULL
)
366 return NT_STATUS_NO_MEMORY
;
367 info
->acc_granted
= acc_granted
;
369 /* get a (unique) handle. open a policy on it. */
370 if (!create_policy_hnd(p
, &r_u
->domain_pol
, free_samr_info
, (void *)info
))
371 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
373 DEBUG(5,("samr_open_domain: %d\n", __LINE__
));
378 /*******************************************************************
379 _samr_get_usrdom_pwinfo
380 ********************************************************************/
382 NTSTATUS
_samr_get_usrdom_pwinfo(pipes_struct
*p
, SAMR_Q_GET_USRDOM_PWINFO
*q_u
, SAMR_R_GET_USRDOM_PWINFO
*r_u
)
384 struct samr_info
*info
= NULL
;
386 r_u
->status
= NT_STATUS_OK
;
388 /* find the policy handle. open a policy on it. */
389 if (!find_policy_by_hnd(p
, &q_u
->user_pol
, (void **)&info
))
390 return NT_STATUS_INVALID_HANDLE
;
392 if (!sid_check_is_in_our_domain(&info
->sid
))
393 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
395 init_samr_r_get_usrdom_pwinfo(r_u
, NT_STATUS_OK
);
397 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__
));
400 * NT sometimes return NT_STATUS_ACCESS_DENIED
401 * I don't know yet why.
408 /*******************************************************************
410 ********************************************************************/
412 static NTSTATUS
samr_make_sam_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
)
414 extern DOM_SID global_sid_World
;
423 sid_copy(&adm_sid
, &global_sid_Builtin
);
424 sid_append_rid(&adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
426 sid_copy(&act_sid
, &global_sid_Builtin
);
427 sid_append_rid(&act_sid
, BUILTIN_ALIAS_RID_ACCOUNT_OPS
);
429 /*basic access for every one*/
430 init_sec_access(&mask
, SAMR_EXECUTE
| SAMR_READ
);
431 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
433 /*full access for builtin aliases Administrators and Account Operators*/
434 init_sec_access(&mask
, SAMR_ALL_ACCESS
);
435 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
436 init_sec_ace(&ace
[2], &act_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
438 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
439 return NT_STATUS_NO_MEMORY
;
441 if ((*psd
= make_sec_desc(ctx
, SEC_DESC_REVISION
, NULL
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
442 return NT_STATUS_NO_MEMORY
;
447 /*******************************************************************
449 ********************************************************************/
451 static NTSTATUS
samr_make_dom_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
)
453 extern DOM_SID global_sid_World
;
462 sid_copy(&adm_sid
, &global_sid_Builtin
);
463 sid_append_rid(&adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
465 sid_copy(&act_sid
, &global_sid_Builtin
);
466 sid_append_rid(&act_sid
, BUILTIN_ALIAS_RID_ACCOUNT_OPS
);
468 /*basic access for every one*/
469 init_sec_access(&mask
, DOMAIN_EXECUTE
| DOMAIN_READ
);
470 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
472 /*full access for builtin aliases Administrators and Account Operators*/
473 init_sec_access(&mask
, DOMAIN_ALL_ACCESS
);
474 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
475 init_sec_ace(&ace
[2], &act_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
477 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
478 return NT_STATUS_NO_MEMORY
;
480 if ((*psd
= make_sec_desc(ctx
, SEC_DESC_REVISION
, NULL
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
481 return NT_STATUS_NO_MEMORY
;
486 /*******************************************************************
488 ********************************************************************/
490 static NTSTATUS
samr_make_usr_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
, DOM_SID
*usr_sid
)
492 extern DOM_SID global_sid_World
;
501 sid_copy(&adm_sid
, &global_sid_Builtin
);
502 sid_append_rid(&adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
504 sid_copy(&act_sid
, &global_sid_Builtin
);
505 sid_append_rid(&act_sid
, BUILTIN_ALIAS_RID_ACCOUNT_OPS
);
507 /*basic access for every one*/
508 init_sec_access(&mask
, USER_EXECUTE
| USER_READ
);
509 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
511 /*full access for builtin aliases Administrators and Account Operators*/
512 init_sec_access(&mask
, USER_ALL_ACCESS
);
513 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
514 init_sec_ace(&ace
[2], &act_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
516 /*extended access for the user*/
517 init_sec_access(&mask
,READ_CONTROL_ACCESS
| USER_ACCESS_CHANGE_PASSWORD
| USER_ACCESS_SET_LOC_COM
);
518 init_sec_ace(&ace
[3], usr_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
520 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, 4, ace
)) == NULL
)
521 return NT_STATUS_NO_MEMORY
;
523 if ((*psd
= make_sec_desc(ctx
, SEC_DESC_REVISION
, NULL
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
524 return NT_STATUS_NO_MEMORY
;
529 /*******************************************************************
531 ********************************************************************/
533 static NTSTATUS
samr_make_grp_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
)
535 extern DOM_SID global_sid_World
;
544 sid_copy(&adm_sid
, &global_sid_Builtin
);
545 sid_append_rid(&adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
547 sid_copy(&act_sid
, &global_sid_Builtin
);
548 sid_append_rid(&act_sid
, BUILTIN_ALIAS_RID_ACCOUNT_OPS
);
550 /*basic access for every one*/
551 init_sec_access(&mask
, GROUP_EXECUTE
| GROUP_READ
);
552 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
554 /*full access for builtin aliases Administrators and Account Operators*/
555 init_sec_access(&mask
, GROUP_ALL_ACCESS
);
556 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
557 init_sec_ace(&ace
[2], &act_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
559 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
560 return NT_STATUS_NO_MEMORY
;
562 if ((*psd
= make_sec_desc(ctx
, SEC_DESC_REVISION
, NULL
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
563 return NT_STATUS_NO_MEMORY
;
568 /*******************************************************************
570 ********************************************************************/
572 static NTSTATUS
samr_make_ali_obj_sd(TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
)
574 extern DOM_SID global_sid_World
;
583 sid_copy(&adm_sid
, &global_sid_Builtin
);
584 sid_append_rid(&adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
586 sid_copy(&act_sid
, &global_sid_Builtin
);
587 sid_append_rid(&act_sid
, BUILTIN_ALIAS_RID_ACCOUNT_OPS
);
589 /*basic access for every one*/
590 init_sec_access(&mask
, ALIAS_EXECUTE
| ALIAS_READ
);
591 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
593 /*full access for builtin aliases Administrators and Account Operators*/
594 init_sec_access(&mask
, ALIAS_ALL_ACCESS
);
595 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
596 init_sec_ace(&ace
[2], &act_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
598 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
599 return NT_STATUS_NO_MEMORY
;
601 if ((*psd
= make_sec_desc(ctx
, SEC_DESC_REVISION
, NULL
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
602 return NT_STATUS_NO_MEMORY
;
607 static BOOL
get_lsa_policy_samr_sid(pipes_struct
*p
, POLICY_HND
*pol
, DOM_SID
*sid
, uint32
*acc_granted
)
609 struct samr_info
*info
= NULL
;
611 /* find the policy handle. open a policy on it. */
612 if (!find_policy_by_hnd(p
, pol
, (void **)&info
))
619 *acc_granted
= info
->acc_granted
;
623 /*******************************************************************
625 ********************************************************************/
627 NTSTATUS
_samr_set_sec_obj(pipes_struct
*p
, SAMR_Q_SET_SEC_OBJ
*q_u
, SAMR_R_SET_SEC_OBJ
*r_u
)
629 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
630 return NT_STATUS_NOT_IMPLEMENTED
;
634 /*******************************************************************
636 ********************************************************************/
638 NTSTATUS
_samr_query_sec_obj(pipes_struct
*p
, SAMR_Q_QUERY_SEC_OBJ
*q_u
, SAMR_R_QUERY_SEC_OBJ
*r_u
)
642 SEC_DESC
* psd
= NULL
;
646 r_u
->status
= NT_STATUS_OK
;
649 if (!get_lsa_policy_samr_sid(p
, &q_u
->user_pol
, &pol_sid
, &acc_granted
))
650 return NT_STATUS_INVALID_HANDLE
;
654 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid
, &pol_sid
)));
656 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
658 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
659 if (pol_sid
.sid_rev_num
== 0)
661 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
662 r_u
->status
= samr_make_sam_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
664 else if (sid_equal(&pol_sid
,get_global_sam_sid())) /* check if it is our domain SID */
667 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid
, &pol_sid
)));
668 r_u
->status
= samr_make_dom_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
670 else if (sid_equal(&pol_sid
,&global_sid_Builtin
)) /* check if it is the Builtin Domain */
672 /* TODO: Builtin probably needs a different SD with restricted write access*/
673 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid
, &pol_sid
)));
674 r_u
->status
= samr_make_dom_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
676 else if (sid_check_is_in_our_domain(&pol_sid
) ||
677 sid_check_is_in_builtin(&pol_sid
))
679 /* TODO: different SDs have to be generated for aliases groups and users.
680 Currently all three get a default user SD */
681 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid
, &pol_sid
)));
682 r_u
->status
= samr_make_usr_obj_sd(p
->mem_ctx
, &psd
,&sd_size
, &pol_sid
);
684 else return NT_STATUS_OBJECT_TYPE_MISMATCH
;
686 if ((r_u
->buf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
687 return NT_STATUS_NO_MEMORY
;
689 if (NT_STATUS_IS_OK(r_u
->status
))
695 /*******************************************************************
696 makes a SAM_ENTRY / UNISTR2* structure from a user list.
697 ********************************************************************/
699 static NTSTATUS
make_user_sam_entry_list(TALLOC_CTX
*ctx
, SAM_ENTRY
**sam_pp
, UNISTR2
**uni_name_pp
,
700 uint32 num_entries
, uint32 start_idx
, DISP_USER_INFO
*disp_user_info
,
706 SAM_ACCOUNT
*pwd
= NULL
;
707 UNISTR2 uni_temp_name
;
708 const char *temp_name
;
709 const DOM_SID
*user_sid
;
711 fstring user_sid_string
;
712 fstring domain_sid_string
;
717 if (num_entries
== 0)
720 sam
= (SAM_ENTRY
*)talloc_zero(ctx
, sizeof(SAM_ENTRY
)*num_entries
);
722 uni_name
= (UNISTR2
*)talloc_zero(ctx
, sizeof(UNISTR2
)*num_entries
);
724 if (sam
== NULL
|| uni_name
== NULL
) {
725 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
726 return NT_STATUS_NO_MEMORY
;
729 for (i
= 0; i
< num_entries
; i
++) {
730 pwd
= disp_user_info
[i
+start_idx
].sam
;
731 temp_name
= pdb_get_username(pwd
);
732 init_unistr2(&uni_temp_name
, temp_name
, strlen(temp_name
)+1);
733 user_sid
= pdb_get_user_sid(pwd
);
735 if (!sid_peek_check_rid(domain_sid
, user_sid
, &user_rid
)) {
736 DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with "
737 "the domain sid %s. Failing operation.\n",
739 sid_to_string(user_sid_string
, user_sid
),
740 sid_to_string(domain_sid_string
, domain_sid
)));
741 return NT_STATUS_UNSUCCESSFUL
;
744 init_sam_entry(&sam
[i
], uni_temp_name
.uni_str_len
, user_rid
);
745 copy_unistr2(&uni_name
[i
], &uni_temp_name
);
749 *uni_name_pp
= uni_name
;
753 /*******************************************************************
754 samr_reply_enum_dom_users
755 ********************************************************************/
757 NTSTATUS
_samr_enum_dom_users(pipes_struct
*p
, SAMR_Q_ENUM_DOM_USERS
*q_u
,
758 SAMR_R_ENUM_DOM_USERS
*r_u
)
760 struct samr_info
*info
= NULL
;
761 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
763 uint32 enum_context
=q_u
->start_idx
;
764 uint32 max_size
=q_u
->max_size
;
766 enum remote_arch_types ra_type
= get_remote_arch();
767 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
768 uint32 max_entries
= max_sam_entries
;
771 r_u
->status
= NT_STATUS_OK
;
773 /* find the policy handle. open a policy on it. */
774 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
775 return NT_STATUS_INVALID_HANDLE
;
777 domain_sid
= info
->sid
;
779 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(info
->acc_granted
,
780 DOMAIN_ACCESS_ENUM_ACCOUNTS
,
781 "_samr_enum_dom_users"))) {
785 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__
));
788 r_u
->status
=load_sampwd_entries(info
, q_u
->acb_mask
);
791 if (!NT_STATUS_IS_OK(r_u
->status
))
794 num_account
= info
->disp_info
.num_user_account
;
796 if (enum_context
> num_account
) {
797 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n"));
801 /* verify we won't overflow */
802 if (max_entries
> num_account
-enum_context
) {
803 max_entries
= num_account
-enum_context
;
804 DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries
));
807 /* calculate the size and limit on the number of entries we will return */
808 temp_size
=max_entries
*struct_size
;
810 if (temp_size
>max_size
) {
811 max_entries
=MIN((max_size
/struct_size
),max_entries
);;
812 DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries
));
816 * Note from JRA. total_entries is not being used here. Currently if there is a
817 * large user base then it looks like NT will enumerate until get_sampwd_entries
818 * returns False due to num_entries being zero. This will cause an access denied
819 * return. I don't think this is right and needs further investigation. Note that
820 * this is also the same in the TNG code (I don't think that has been tested with
821 * a very large user list as MAX_SAM_ENTRIES is set to 600).
823 * I also think that one of the 'num_entries' return parameters is probably
824 * the "max entries" parameter - but in the TNG code they're all currently set to the same
825 * value (again I think this is wrong).
828 r_u
->status
= make_user_sam_entry_list(p
->mem_ctx
, &r_u
->sam
, &r_u
->uni_acct_name
,
829 max_entries
, enum_context
,
830 info
->disp_info
.disp_user_info
,
833 if (!NT_STATUS_IS_OK(r_u
->status
))
836 if (enum_context
+max_entries
< num_account
)
837 r_u
->status
= STATUS_MORE_ENTRIES
;
839 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__
));
841 init_samr_r_enum_dom_users(r_u
, q_u
->start_idx
+ max_entries
, max_entries
);
843 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__
));
848 /*******************************************************************
849 makes a SAM_ENTRY / UNISTR2* structure from a group list.
850 ********************************************************************/
852 static void make_group_sam_entry_list(TALLOC_CTX
*ctx
, SAM_ENTRY
**sam_pp
, UNISTR2
**uni_name_pp
,
853 uint32 num_sam_entries
, DOMAIN_GRP
*grp
)
862 if (num_sam_entries
== 0)
865 sam
= (SAM_ENTRY
*)talloc_zero(ctx
, sizeof(SAM_ENTRY
)*num_sam_entries
);
867 uni_name
= (UNISTR2
*)talloc_zero(ctx
, sizeof(UNISTR2
)*num_sam_entries
);
869 if (sam
== NULL
|| uni_name
== NULL
) {
870 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
874 for (i
= 0; i
< num_sam_entries
; i
++) {
876 * JRA. I think this should include the null. TNG does not.
878 int len
= strlen(grp
[i
].name
)+1;
880 init_sam_entry(&sam
[i
], len
, grp
[i
].rid
);
881 init_unistr2(&uni_name
[i
], grp
[i
].name
, len
);
885 *uni_name_pp
= uni_name
;
888 /*******************************************************************
889 Get the group entries - similar to get_sampwd_entries().
890 ********************************************************************/
892 static NTSTATUS
get_group_alias_entries(TALLOC_CTX
*ctx
, DOMAIN_GRP
**d_grp
, DOM_SID
*sid
, uint32 start_idx
,
893 uint32
*p_num_entries
, uint32 max_entries
)
896 uint32 num_entries
= 0;
901 sid_to_string(sid_str
, sid
);
902 DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str
));
906 /* well-known aliases */
907 if (sid_equal(sid
, &global_sid_Builtin
) && !lp_hide_local_users()) {
909 enum_group_mapping(SID_NAME_ALIAS
, &map
, (int *)&num_entries
, ENUM_ONLY_MAPPED
, MAPPING_WITHOUT_PRIV
);
911 if (num_entries
!= 0) {
912 *d_grp
=(DOMAIN_GRP
*)talloc_zero(ctx
, num_entries
*sizeof(DOMAIN_GRP
));
914 return NT_STATUS_NO_MEMORY
;
916 for(i
=0; i
<num_entries
&& i
<max_entries
; i
++) {
917 fstrcpy((*d_grp
)[i
].name
, map
[i
+start_idx
].nt_name
);
918 sid_split_rid(&map
[i
+start_idx
].sid
, &(*d_grp
)[i
].rid
);
924 } else if (sid_equal(sid
, get_global_sam_sid()) && !lp_hide_local_users()) {
925 struct sys_grent
*glist
;
926 struct sys_grent
*grp
;
928 gid_t winbind_gid_low
, winbind_gid_high
;
929 BOOL winbind_groups_exist
= lp_winbind_gid(&winbind_gid_low
, &winbind_gid_high
);
932 /* we return the UNIX groups here. This seems to be the right */
933 /* thing to do, since NT member servers return their local */
934 /* groups in the same situation. */
936 /* use getgrent_list() to retrieve the list of groups to avoid
937 * problems with getgrent possible infinite loop by internal
938 * libc grent structures overwrites by called functions */
939 grp
= glist
= getgrent_list();
941 return NT_STATUS_NO_MEMORY
;
943 for (; (num_entries
< max_entries
) && (grp
!= NULL
); grp
= grp
->next
) {
946 if(!get_group_from_gid(grp
->gr_gid
, &smap
, MAPPING_WITHOUT_PRIV
))
949 if (smap
.sid_name_use
!=SID_NAME_ALIAS
) {
953 sid_split_rid(&smap
.sid
, &trid
);
955 if (!sid_equal(sid
, &smap
.sid
))
958 /* Don't return winbind groups as they are not local! */
959 if (winbind_groups_exist
&& (grp
->gr_gid
>= winbind_gid_low
)&&(grp
->gr_gid
<= winbind_gid_high
)) {
960 DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap
.nt_name
));
964 /* Don't return user private groups... */
966 if ((pw
= Get_Pwnam(smap
.nt_name
)) != 0) {
967 DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap
.nt_name
));
971 for( i
= 0; i
< num_entries
; i
++)
972 if ( (*d_grp
)[i
].rid
== trid
)
975 if ( i
< num_entries
) {
976 continue; /* rid was there, dup! */
979 /* JRA - added this for large group db enumeration... */
982 /* skip the requested number of entries.
983 not very efficient, but hey...
989 *d_grp
=talloc_realloc(ctx
,*d_grp
, (num_entries
+1)*sizeof(DOMAIN_GRP
));
992 return NT_STATUS_NO_MEMORY
;
995 fstrcpy((*d_grp
)[num_entries
].name
, smap
.nt_name
);
996 (*d_grp
)[num_entries
].rid
= trid
;
998 DEBUG(10,("get_group_alias_entries: added entry %d, rid:%d\n", num_entries
, trid
));
1004 *p_num_entries
= num_entries
;
1006 DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries
));
1008 if (num_entries
>= max_entries
)
1009 return STATUS_MORE_ENTRIES
;
1010 return NT_STATUS_OK
;
1013 /*******************************************************************
1014 Get the group entries - similar to get_sampwd_entries().
1015 ********************************************************************/
1017 static NTSTATUS
get_group_domain_entries(TALLOC_CTX
*ctx
, DOMAIN_GRP
**d_grp
, DOM_SID
*sid
, uint32 start_idx
,
1018 uint32
*p_num_entries
, uint32 max_entries
)
1020 GROUP_MAP
*map
=NULL
;
1022 uint32 group_entries
= 0;
1023 uint32 num_entries
= 0;
1027 enum_group_mapping(SID_NAME_DOM_GRP
, &map
, (int *)&group_entries
, ENUM_ONLY_MAPPED
, MAPPING_WITHOUT_PRIV
);
1029 num_entries
=group_entries
-start_idx
;
1031 /* limit the number of entries */
1032 if (num_entries
>max_entries
) {
1033 DEBUG(5,("Limiting to %d entries\n", max_entries
));
1034 num_entries
=max_entries
;
1037 *d_grp
=(DOMAIN_GRP
*)talloc_zero(ctx
, num_entries
*sizeof(DOMAIN_GRP
));
1038 if (num_entries
!=0 && *d_grp
==NULL
){
1040 return NT_STATUS_NO_MEMORY
;
1043 for (i
=0; i
<num_entries
; i
++) {
1044 fstrcpy((*d_grp
)[i
].name
, map
[i
+start_idx
].nt_name
);
1045 fstrcpy((*d_grp
)[i
].comment
, map
[i
+start_idx
].comment
);
1046 sid_split_rid(&map
[i
+start_idx
].sid
, &(*d_grp
)[i
].rid
);
1047 (*d_grp
)[i
].attr
=SID_NAME_DOM_GRP
;
1052 *p_num_entries
= num_entries
;
1054 return NT_STATUS_OK
;
1057 /*******************************************************************
1058 samr_reply_enum_dom_groups
1059 Only reply with one group - domain admins. This must be fixed for
1061 ********************************************************************/
1063 NTSTATUS
_samr_enum_dom_groups(pipes_struct
*p
, SAMR_Q_ENUM_DOM_GROUPS
*q_u
, SAMR_R_ENUM_DOM_GROUPS
*r_u
)
1065 DOMAIN_GRP
*grp
=NULL
;
1070 r_u
->status
= NT_STATUS_OK
;
1072 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &sid
, &acc_granted
))
1073 return NT_STATUS_INVALID_HANDLE
;
1075 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_ENUM_ACCOUNTS
, "_samr_enum_dom_groups"))) {
1079 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__
));
1081 /* the domain group array is being allocated in the function below */
1082 get_group_domain_entries(p
->mem_ctx
, &grp
, &sid
, q_u
->start_idx
, &num_entries
, MAX_SAM_ENTRIES
);
1084 make_group_sam_entry_list(p
->mem_ctx
, &r_u
->sam
, &r_u
->uni_grp_name
, num_entries
, grp
);
1086 init_samr_r_enum_dom_groups(r_u
, q_u
->start_idx
, num_entries
);
1088 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__
));
1094 /*******************************************************************
1095 samr_reply_enum_dom_aliases
1096 ********************************************************************/
1098 NTSTATUS
_samr_enum_dom_aliases(pipes_struct
*p
, SAMR_Q_ENUM_DOM_ALIASES
*q_u
, SAMR_R_ENUM_DOM_ALIASES
*r_u
)
1100 DOMAIN_GRP
*grp
=NULL
;
1101 uint32 num_entries
= 0;
1107 r_u
->status
= NT_STATUS_OK
;
1109 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &sid
, &acc_granted
))
1110 return NT_STATUS_INVALID_HANDLE
;
1112 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_ENUM_ACCOUNTS
, "_samr_enum_dom_aliases"))) {
1116 sid_to_string(sid_str
, &sid
);
1117 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str
));
1119 status
= get_group_alias_entries(p
->mem_ctx
, &grp
, &sid
, q_u
->start_idx
,
1120 &num_entries
, MAX_SAM_ENTRIES
);
1121 if (NT_STATUS_IS_ERR(status
)) return status
;
1123 make_group_sam_entry_list(p
->mem_ctx
, &r_u
->sam
, &r_u
->uni_grp_name
, num_entries
, grp
);
1127 init_samr_r_enum_dom_aliases(r_u
, q_u
->start_idx
+ num_entries
, num_entries
);
1129 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__
));
1134 /*******************************************************************
1135 samr_reply_query_dispinfo
1136 ********************************************************************/
1137 NTSTATUS
_samr_query_dispinfo(pipes_struct
*p
, SAMR_Q_QUERY_DISPINFO
*q_u
,
1138 SAMR_R_QUERY_DISPINFO
*r_u
)
1140 struct samr_info
*info
= NULL
;
1141 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
1144 uint32 max_entries
=q_u
->max_entries
;
1145 uint32 enum_context
=q_u
->start_idx
;
1146 uint32 max_size
=q_u
->max_size
;
1148 SAM_DISPINFO_CTR
*ctr
;
1149 uint32 temp_size
=0, total_data_size
=0;
1151 uint32 num_account
= 0;
1152 enum remote_arch_types ra_type
= get_remote_arch();
1153 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
1156 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__
));
1157 r_u
->status
= NT_STATUS_OK
;
1159 /* find the policy handle. open a policy on it. */
1160 if (!find_policy_by_hnd(p
, &q_u
->domain_pol
, (void **)&info
))
1161 return NT_STATUS_INVALID_HANDLE
;
1163 domain_sid
= info
->sid
;
1166 * calculate how many entries we will return.
1168 * - the number of entries the client asked
1169 * - our limit on that
1170 * - the starting point (enumeration context)
1171 * - the buffer size the client will accept
1175 * We are a lot more like W2K. Instead of reading the SAM
1176 * each time to find the records we need to send back,
1177 * we read it once and link that copy to the sam handle.
1178 * For large user list (over the MAX_SAM_ENTRIES)
1179 * it's a definitive win.
1180 * second point to notice: between enumerations
1181 * our sam is now the same as it's a snapshoot.
1182 * third point: got rid of the static SAM_USER_21 struct
1183 * no more intermediate.
1184 * con: it uses much more memory, as a full copy is stored
1187 * If you want to change it, think twice and think
1188 * of the second point , that's really important.
1193 /* Get what we need from the password database */
1195 if (q_u
->switch_level
==2)
1196 acb_mask
= ACB_WSTRUST
;
1198 acb_mask
= ACB_NORMAL
;
1200 /* Get what we need from the password database */
1201 switch (q_u
->switch_level
) {
1206 r_u
->status
=load_sampwd_entries(info
, acb_mask
);
1208 if (!NT_STATUS_IS_OK(r_u
->status
)) {
1209 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
1212 num_account
= info
->disp_info
.num_user_account
;
1216 r_u
->status
= load_group_domain_entries(info
, &info
->sid
);
1217 if (!NT_STATUS_IS_OK(r_u
->status
))
1219 num_account
= info
->disp_info
.num_group_account
;
1222 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u
->switch_level
));
1223 return NT_STATUS_INVALID_INFO_CLASS
;
1226 /* first limit the number of entries we will return */
1227 if(max_entries
> max_sam_entries
) {
1228 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries
, max_sam_entries
));
1229 max_entries
= max_sam_entries
;
1232 if (enum_context
> num_account
) {
1233 DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n"));
1234 return NT_STATUS_NO_MORE_ENTRIES
;
1237 /* verify we won't overflow */
1238 if (max_entries
> num_account
-enum_context
) {
1239 max_entries
= num_account
-enum_context
;
1240 DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries
));
1243 /* calculate the size and limit on the number of entries we will return */
1244 temp_size
=max_entries
*struct_size
;
1246 if (temp_size
>max_size
) {
1247 max_entries
=MIN((max_size
/struct_size
),max_entries
);;
1248 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries
));
1251 if (!(ctr
= (SAM_DISPINFO_CTR
*)talloc_zero(p
->mem_ctx
,sizeof(SAM_DISPINFO_CTR
))))
1252 return NT_STATUS_NO_MEMORY
;
1256 /* Now create reply structure */
1257 switch (q_u
->switch_level
) {
1260 if (!(ctr
->sam
.info1
= (SAM_DISPINFO_1
*)talloc_zero(p
->mem_ctx
,max_entries
*sizeof(SAM_DISPINFO_1
))))
1261 return NT_STATUS_NO_MEMORY
;
1263 disp_ret
= init_sam_dispinfo_1(p
->mem_ctx
, ctr
->sam
.info1
, max_entries
, enum_context
,
1264 info
->disp_info
.disp_user_info
, &domain_sid
);
1265 if (!NT_STATUS_IS_OK(disp_ret
))
1270 if (!(ctr
->sam
.info2
= (SAM_DISPINFO_2
*)talloc_zero(p
->mem_ctx
,max_entries
*sizeof(SAM_DISPINFO_2
))))
1271 return NT_STATUS_NO_MEMORY
;
1273 disp_ret
= init_sam_dispinfo_2(p
->mem_ctx
, ctr
->sam
.info2
, max_entries
, enum_context
,
1274 info
->disp_info
.disp_user_info
, &domain_sid
);
1275 if (!NT_STATUS_IS_OK(disp_ret
))
1280 if (!(ctr
->sam
.info3
= (SAM_DISPINFO_3
*)talloc_zero(p
->mem_ctx
,max_entries
*sizeof(SAM_DISPINFO_3
))))
1281 return NT_STATUS_NO_MEMORY
;
1283 disp_ret
= init_sam_dispinfo_3(p
->mem_ctx
, ctr
->sam
.info3
, max_entries
, enum_context
, info
->disp_info
.disp_group_info
);
1284 if (!NT_STATUS_IS_OK(disp_ret
))
1289 if (!(ctr
->sam
.info4
= (SAM_DISPINFO_4
*)talloc_zero(p
->mem_ctx
,max_entries
*sizeof(SAM_DISPINFO_4
))))
1290 return NT_STATUS_NO_MEMORY
;
1292 disp_ret
= init_sam_dispinfo_4(p
->mem_ctx
, ctr
->sam
.info4
, max_entries
, enum_context
, info
->disp_info
.disp_user_info
);
1293 if (!NT_STATUS_IS_OK(disp_ret
))
1298 if (!(ctr
->sam
.info5
= (SAM_DISPINFO_5
*)talloc_zero(p
->mem_ctx
,max_entries
*sizeof(SAM_DISPINFO_5
))))
1299 return NT_STATUS_NO_MEMORY
;
1301 disp_ret
= init_sam_dispinfo_5(p
->mem_ctx
, ctr
->sam
.info5
, max_entries
, enum_context
, info
->disp_info
.disp_group_info
);
1302 if (!NT_STATUS_IS_OK(disp_ret
))
1307 ctr
->sam
.info
= NULL
;
1308 return NT_STATUS_INVALID_INFO_CLASS
;
1311 /* calculate the total size */
1312 total_data_size
=num_account
*struct_size
;
1314 if (enum_context
+max_entries
< num_account
)
1315 r_u
->status
= STATUS_MORE_ENTRIES
;
1317 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__
));
1319 init_samr_r_query_dispinfo(r_u
, max_entries
, total_data_size
, temp_size
, q_u
->switch_level
, ctr
, r_u
->status
);
1325 /*******************************************************************
1326 samr_reply_query_aliasinfo
1327 ********************************************************************/
1329 NTSTATUS
_samr_query_aliasinfo(pipes_struct
*p
, SAMR_Q_QUERY_ALIASINFO
*q_u
, SAMR_R_QUERY_ALIASINFO
*r_u
)
1335 r_u
->status
= NT_STATUS_OK
;
1337 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__
));
1339 /* find the policy handle. open a policy on it. */
1340 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &sid
, &acc_granted
))
1341 return NT_STATUS_INVALID_HANDLE
;
1342 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, ALIAS_ACCESS_LOOKUP_INFO
, "_samr_query_aliasinfo"))) {
1346 if (!sid_check_is_in_our_domain(&sid
) &&
1347 !sid_check_is_in_builtin(&sid
))
1348 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
1350 if (!get_local_group_from_sid(sid
, &map
, MAPPING_WITHOUT_PRIV
))
1351 return NT_STATUS_NO_SUCH_ALIAS
;
1353 switch (q_u
->switch_level
) {
1356 r_u
->ctr
.switch_value1
= 1;
1357 init_samr_alias_info1(&r_u
->ctr
.alias
.info1
, map
.nt_name
, 1, map
.comment
);
1361 r_u
->ctr
.switch_value1
= 3;
1362 init_samr_alias_info3(&r_u
->ctr
.alias
.info3
, map
.comment
);
1365 return NT_STATUS_INVALID_INFO_CLASS
;
1368 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__
));
1374 /*******************************************************************
1375 samr_reply_lookup_ids
1376 ********************************************************************/
1378 uint32
_samr_lookup_ids(pipes_struct
*p
, SAMR_Q_LOOKUP_IDS
*q_u
, SAMR_R_LOOKUP_IDS
*r_u
)
1380 uint32 rid
[MAX_SAM_ENTRIES
];
1381 int num_rids
= q_u
->num_sids1
;
1383 r_u
->status
= NT_STATUS_OK
;
1385 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__
));
1387 if (num_rids
> MAX_SAM_ENTRIES
) {
1388 num_rids
= MAX_SAM_ENTRIES
;
1389 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids
));
1394 SMB_ASSERT_ARRAY(q_u
->uni_user_name
, num_rids
);
1396 for (i
= 0; i
< num_rids
&& status
== 0; i
++)
1398 struct sam_passwd
*sam_pass
;
1402 fstrcpy(user_name
, unistrn2(q_u
->uni_user_name
[i
].buffer
,
1403 q_u
->uni_user_name
[i
].uni_str_len
));
1405 /* find the user account */
1407 sam_pass
= get_smb21pwd_entry(user_name
, 0);
1410 if (sam_pass
== NULL
)
1412 status
= 0xC0000000 | NT_STATUS_NO_SUCH_USER
;
1417 rid
[i
] = sam_pass
->user_rid
;
1423 rid
[0] = BUILTIN_ALIAS_RID_USERS
;
1425 init_samr_r_lookup_ids(&r_u
, num_rids
, rid
, NT_STATUS_OK
);
1427 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__
));
1433 /*******************************************************************
1435 ********************************************************************/
1437 NTSTATUS
_samr_lookup_names(pipes_struct
*p
, SAMR_Q_LOOKUP_NAMES
*q_u
, SAMR_R_LOOKUP_NAMES
*r_u
)
1439 uint32 rid
[MAX_SAM_ENTRIES
];
1441 enum SID_NAME_USE type
[MAX_SAM_ENTRIES
];
1442 enum SID_NAME_USE local_type
;
1444 int num_rids
= q_u
->num_names2
;
1449 r_u
->status
= NT_STATUS_OK
;
1451 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__
));
1456 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &pol_sid
, &acc_granted
)) {
1457 init_samr_r_lookup_names(p
->mem_ctx
, r_u
, 0, NULL
, NULL
, NT_STATUS_OBJECT_TYPE_MISMATCH
);
1461 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1465 if (num_rids
> MAX_SAM_ENTRIES
) {
1466 num_rids
= MAX_SAM_ENTRIES
;
1467 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids
));
1470 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str
, &pol_sid
)));
1472 become_root(); /* local_lookup_name can require root privs */
1474 for (i
= 0; i
< num_rids
; i
++) {
1478 r_u
->status
= NT_STATUS_NONE_MAPPED
;
1480 rid
[i
] = 0xffffffff;
1481 type
[i
] = SID_NAME_UNKNOWN
;
1483 rpcstr_pull(name
, q_u
->uni_name
[i
].buffer
, sizeof(name
), q_u
->uni_name
[i
].uni_str_len
*2, 0);
1486 * we are only looking for a name
1487 * the SID we get back can be outside
1488 * the scope of the pol_sid
1490 * in clear: it prevents to reply to domain\group: yes
1491 * when only builtin\group exists.
1493 * a cleaner code is to add the sid of the domain we're looking in
1494 * to the local_lookup_name function.
1496 if(local_lookup_name(name
, &sid
, &local_type
)) {
1497 sid_split_rid(&sid
, &local_rid
);
1499 if (sid_equal(&sid
, &pol_sid
)) {
1502 r_u
->status
= NT_STATUS_OK
;
1509 init_samr_r_lookup_names(p
->mem_ctx
, r_u
, num_rids
, rid
, (uint32
*)type
, r_u
->status
);
1511 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__
));
1516 /*******************************************************************
1517 _samr_chgpasswd_user
1518 ********************************************************************/
1520 NTSTATUS
_samr_chgpasswd_user(pipes_struct
*p
, SAMR_Q_CHGPASSWD_USER
*q_u
, SAMR_R_CHGPASSWD_USER
*r_u
)
1525 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__
));
1527 r_u
->status
= NT_STATUS_OK
;
1529 rpcstr_pull(user_name
, q_u
->uni_user_name
.buffer
, sizeof(user_name
), q_u
->uni_user_name
.uni_str_len
*2, 0);
1530 rpcstr_pull(wks
, q_u
->uni_dest_host
.buffer
, sizeof(wks
), q_u
->uni_dest_host
.uni_str_len
*2,0);
1532 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name
, wks
));
1535 * Pass the user through the NT -> unix user mapping
1539 (void)map_username(user_name
);
1542 * UNIX username case mangling not required, pass_oem_change
1543 * is case insensitive.
1546 if (!pass_oem_change(user_name
, q_u
->lm_newpass
.pass
, q_u
->lm_oldhash
.hash
,
1547 q_u
->nt_newpass
.pass
, q_u
->nt_oldhash
.hash
))
1548 r_u
->status
= NT_STATUS_WRONG_PASSWORD
;
1550 init_samr_r_chgpasswd_user(r_u
, r_u
->status
);
1552 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__
));
1557 /*******************************************************************
1558 makes a SAMR_R_LOOKUP_RIDS structure.
1559 ********************************************************************/
1561 static BOOL
make_samr_lookup_rids(TALLOC_CTX
*ctx
, uint32 num_names
, fstring names
[],
1562 UNIHDR
**pp_hdr_name
, UNISTR2
**pp_uni_name
)
1565 UNIHDR
*hdr_name
=NULL
;
1566 UNISTR2
*uni_name
=NULL
;
1568 *pp_uni_name
= NULL
;
1569 *pp_hdr_name
= NULL
;
1571 if (num_names
!= 0) {
1572 hdr_name
= (UNIHDR
*)talloc_zero(ctx
, sizeof(UNIHDR
)*num_names
);
1573 if (hdr_name
== NULL
)
1576 uni_name
= (UNISTR2
*)talloc_zero(ctx
,sizeof(UNISTR2
)*num_names
);
1577 if (uni_name
== NULL
)
1581 for (i
= 0; i
< num_names
; i
++) {
1582 int len
= names
[i
] != NULL
? strlen(names
[i
]) : 0;
1583 DEBUG(10, ("names[%d]:%s\n", i
, names
[i
]));
1584 init_uni_hdr(&hdr_name
[i
], len
);
1585 init_unistr2(&uni_name
[i
], names
[i
], len
);
1588 *pp_uni_name
= uni_name
;
1589 *pp_hdr_name
= hdr_name
;
1594 /*******************************************************************
1596 ********************************************************************/
1598 NTSTATUS
_samr_lookup_rids(pipes_struct
*p
, SAMR_Q_LOOKUP_RIDS
*q_u
, SAMR_R_LOOKUP_RIDS
*r_u
)
1600 fstring group_names
[MAX_SAM_ENTRIES
];
1601 uint32
*group_attrs
= NULL
;
1602 UNIHDR
*hdr_name
= NULL
;
1603 UNISTR2
*uni_name
= NULL
;
1605 int num_rids
= q_u
->num_rids1
;
1609 r_u
->status
= NT_STATUS_OK
;
1611 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__
));
1613 /* find the policy handle. open a policy on it. */
1614 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &pol_sid
, &acc_granted
))
1615 return NT_STATUS_INVALID_HANDLE
;
1617 if (num_rids
> MAX_SAM_ENTRIES
) {
1618 num_rids
= MAX_SAM_ENTRIES
;
1619 DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids
));
1623 if ((group_attrs
= (uint32
*)talloc_zero(p
->mem_ctx
, num_rids
* sizeof(uint32
))) == NULL
)
1624 return NT_STATUS_NO_MEMORY
;
1627 r_u
->status
= NT_STATUS_NONE_MAPPED
;
1629 become_root(); /* lookup_sid can require root privs */
1631 for (i
= 0; i
< num_rids
; i
++) {
1635 enum SID_NAME_USE type
;
1637 group_attrs
[i
] = SID_NAME_UNKNOWN
;
1638 *group_names
[i
] = '\0';
1640 if (sid_equal(&pol_sid
, get_global_sam_sid())) {
1641 sid_copy(&sid
, &pol_sid
);
1642 sid_append_rid(&sid
, q_u
->rid
[i
]);
1644 if (lookup_sid(&sid
, domname
, tmpname
, &type
)) {
1645 r_u
->status
= NT_STATUS_OK
;
1646 group_attrs
[i
] = (uint32
)type
;
1647 fstrcpy(group_names
[i
],tmpname
);
1648 DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names
[i
], group_attrs
[i
]));
1655 if(!make_samr_lookup_rids(p
->mem_ctx
, num_rids
, group_names
, &hdr_name
, &uni_name
))
1656 return NT_STATUS_NO_MEMORY
;
1658 init_samr_r_lookup_rids(r_u
, num_rids
, hdr_name
, uni_name
, group_attrs
);
1660 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__
));
1665 /*******************************************************************
1666 _api_samr_open_user. Safe - gives out no passwd info.
1667 ********************************************************************/
1669 NTSTATUS
_api_samr_open_user(pipes_struct
*p
, SAMR_Q_OPEN_USER
*q_u
, SAMR_R_OPEN_USER
*r_u
)
1671 SAM_ACCOUNT
*sampass
=NULL
;
1673 POLICY_HND domain_pol
= q_u
->domain_pol
;
1674 POLICY_HND
*user_pol
= &r_u
->user_pol
;
1675 struct samr_info
*info
= NULL
;
1676 SEC_DESC
*psd
= NULL
;
1678 uint32 des_access
= q_u
->access_mask
;
1683 r_u
->status
= NT_STATUS_OK
;
1685 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1686 if (!get_lsa_policy_samr_sid(p
, &domain_pol
, &sid
, &acc_granted
))
1687 return NT_STATUS_INVALID_HANDLE
;
1689 if (!NT_STATUS_IS_OK(nt_status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_OPEN_ACCOUNT
, "_samr_open_user"))) {
1693 nt_status
= pdb_init_sam_talloc(p
->mem_ctx
, &sampass
);
1694 if (!NT_STATUS_IS_OK(nt_status
)) {
1698 /* append the user's RID to it */
1699 if (!sid_append_rid(&sid
, q_u
->user_rid
))
1700 return NT_STATUS_NO_SUCH_USER
;
1702 /* check if access can be granted as requested by client. */
1703 samr_make_usr_obj_sd(p
->mem_ctx
, &psd
, &sd_size
, &sid
);
1704 se_map_generic(&des_access
, &usr_generic_mapping
);
1705 if (!NT_STATUS_IS_OK(nt_status
=
1706 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
1707 des_access
, &acc_granted
, "_samr_open_user"))) {
1712 ret
=pdb_getsampwsid(sampass
, &sid
);
1715 /* check that the SID exists in our domain. */
1717 return NT_STATUS_NO_SUCH_USER
;
1720 pdb_free_sam(&sampass
);
1722 /* associate the user's SID and access bits with the new handle. */
1723 if ((info
= get_samr_info_by_sid(&sid
)) == NULL
)
1724 return NT_STATUS_NO_MEMORY
;
1725 info
->acc_granted
= acc_granted
;
1727 /* get a (unique) handle. open a policy on it. */
1728 if (!create_policy_hnd(p
, user_pol
, free_samr_info
, (void *)info
))
1729 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1734 /*************************************************************************
1735 get_user_info_10. Safe. Only gives out acb bits.
1736 *************************************************************************/
1738 static NTSTATUS
get_user_info_10(TALLOC_CTX
*mem_ctx
, SAM_USER_INFO_10
*id10
, DOM_SID
*user_sid
)
1740 SAM_ACCOUNT
*smbpass
=NULL
;
1744 nt_status
= pdb_init_sam_talloc(mem_ctx
, &smbpass
);
1746 if (!NT_STATUS_IS_OK(nt_status
)) {
1751 ret
= pdb_getsampwsid(smbpass
, user_sid
);
1755 DEBUG(4,("User %s not found\n", sid_string_static(user_sid
)));
1756 return NT_STATUS_NO_SUCH_USER
;
1759 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass
) ));
1762 init_sam_user_info10(id10
, pdb_get_acct_ctrl(smbpass
) );
1764 pdb_free_sam(&smbpass
);
1766 return NT_STATUS_OK
;
1769 /*************************************************************************
1770 get_user_info_12. OK - this is the killer as it gives out password info.
1771 Ensure that this is only allowed on an encrypted connection with a root
1773 *************************************************************************/
1775 static NTSTATUS
get_user_info_12(pipes_struct
*p
, TALLOC_CTX
*mem_ctx
, SAM_USER_INFO_12
* id12
, DOM_SID
*user_sid
)
1777 SAM_ACCOUNT
*smbpass
=NULL
;
1781 if (!p
->ntlmssp_auth_validated
)
1782 return NT_STATUS_ACCESS_DENIED
;
1784 if (!(p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SIGN
) || !(p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SEAL
))
1785 return NT_STATUS_ACCESS_DENIED
;
1788 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1791 nt_status
= pdb_init_sam_talloc(mem_ctx
, &smbpass
);
1793 if (!NT_STATUS_IS_OK(nt_status
)) {
1797 ret
= pdb_getsampwsid(smbpass
, user_sid
);
1800 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid
)));
1801 pdb_free_sam(&smbpass
);
1802 return (geteuid() == (uid_t
)0) ? NT_STATUS_NO_SUCH_USER
: NT_STATUS_ACCESS_DENIED
;
1805 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass
), pdb_get_acct_ctrl(smbpass
) ));
1807 if ( pdb_get_acct_ctrl(smbpass
) & ACB_DISABLED
) {
1808 pdb_free_sam(&smbpass
);
1809 return NT_STATUS_ACCOUNT_DISABLED
;
1813 init_sam_user_info12(id12
, pdb_get_lanman_passwd(smbpass
), pdb_get_nt_passwd(smbpass
));
1815 pdb_free_sam(&smbpass
);
1817 return NT_STATUS_OK
;
1820 /*************************************************************************
1822 *************************************************************************/
1824 static NTSTATUS
get_user_info_20(TALLOC_CTX
*mem_ctx
, SAM_USER_INFO_20
*id20
, DOM_SID
*user_sid
)
1826 SAM_ACCOUNT
*sampass
=NULL
;
1829 pdb_init_sam_talloc(mem_ctx
, &sampass
);
1832 ret
= pdb_getsampwsid(sampass
, user_sid
);
1836 DEBUG(4,("User %s not found\n", sid_string_static(user_sid
)));
1837 return NT_STATUS_NO_SUCH_USER
;
1840 samr_clear_sam_passwd(sampass
);
1842 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
1845 init_sam_user_info20A(id20
, sampass
);
1847 pdb_free_sam(&sampass
);
1849 return NT_STATUS_OK
;
1852 /*************************************************************************
1854 *************************************************************************/
1856 static NTSTATUS
get_user_info_21(TALLOC_CTX
*mem_ctx
, SAM_USER_INFO_21
*id21
,
1857 DOM_SID
*user_sid
, DOM_SID
*domain_sid
)
1859 SAM_ACCOUNT
*sampass
=NULL
;
1863 nt_status
= pdb_init_sam_talloc(mem_ctx
, &sampass
);
1864 if (!NT_STATUS_IS_OK(nt_status
)) {
1869 ret
= pdb_getsampwsid(sampass
, user_sid
);
1873 DEBUG(4,("User %s not found\n", sid_string_static(user_sid
)));
1874 return NT_STATUS_NO_SUCH_USER
;
1877 samr_clear_sam_passwd(sampass
);
1879 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
1882 nt_status
= init_sam_user_info21A(id21
, sampass
, domain_sid
);
1884 pdb_free_sam(&sampass
);
1886 return NT_STATUS_OK
;
1889 /*******************************************************************
1890 _samr_query_userinfo
1891 ********************************************************************/
1893 NTSTATUS
_samr_query_userinfo(pipes_struct
*p
, SAMR_Q_QUERY_USERINFO
*q_u
, SAMR_R_QUERY_USERINFO
*r_u
)
1895 SAM_USERINFO_CTR
*ctr
;
1896 struct samr_info
*info
= NULL
;
1900 r_u
->status
=NT_STATUS_OK
;
1902 /* search for the handle */
1903 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1904 return NT_STATUS_INVALID_HANDLE
;
1906 domain_sid
= info
->sid
;
1908 sid_split_rid(&domain_sid
, &rid
);
1910 if (!sid_check_is_in_our_domain(&info
->sid
))
1911 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
1913 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info
->sid
)));
1915 ctr
= (SAM_USERINFO_CTR
*)talloc_zero(p
->mem_ctx
, sizeof(SAM_USERINFO_CTR
));
1917 return NT_STATUS_NO_MEMORY
;
1921 /* ok! user info levels (lots: see MSDEV help), off we go... */
1922 ctr
->switch_value
= q_u
->switch_value
;
1924 switch (q_u
->switch_value
) {
1926 ctr
->info
.id10
= (SAM_USER_INFO_10
*)talloc_zero(p
->mem_ctx
, sizeof(SAM_USER_INFO_10
));
1927 if (ctr
->info
.id10
== NULL
)
1928 return NT_STATUS_NO_MEMORY
;
1930 if (!NT_STATUS_IS_OK(r_u
->status
= get_user_info_10(p
->mem_ctx
, ctr
->info
.id10
, &info
->sid
)))
1935 /* whoops - got this wrong. i think. or don't understand what's happening. */
1939 info
= (void *)&id11
;
1941 expire
.low
= 0xffffffff;
1942 expire
.high
= 0x7fffffff;
1944 ctr
->info
.id
= (SAM_USER_INFO_11
*)talloc_zero(p
->mem_ctx
,
1949 ZERO_STRUCTP(ctr
->info
.id11
);
1950 init_sam_user_info11(ctr
->info
.id11
, &expire
,
1951 "BROOKFIELDS$", /* name */
1952 0x03ef, /* user rid */
1953 0x201, /* group rid */
1954 0x0080); /* acb info */
1961 ctr
->info
.id12
= (SAM_USER_INFO_12
*)talloc_zero(p
->mem_ctx
, sizeof(SAM_USER_INFO_12
));
1962 if (ctr
->info
.id12
== NULL
)
1963 return NT_STATUS_NO_MEMORY
;
1965 if (!NT_STATUS_IS_OK(r_u
->status
= get_user_info_12(p
, p
->mem_ctx
, ctr
->info
.id12
, &info
->sid
)))
1970 ctr
->info
.id20
= (SAM_USER_INFO_20
*)talloc_zero(p
->mem_ctx
,sizeof(SAM_USER_INFO_20
));
1971 if (ctr
->info
.id20
== NULL
)
1972 return NT_STATUS_NO_MEMORY
;
1973 if (!NT_STATUS_IS_OK(r_u
->status
= get_user_info_20(p
->mem_ctx
, ctr
->info
.id20
, &info
->sid
)))
1978 ctr
->info
.id21
= (SAM_USER_INFO_21
*)talloc_zero(p
->mem_ctx
,sizeof(SAM_USER_INFO_21
));
1979 if (ctr
->info
.id21
== NULL
)
1980 return NT_STATUS_NO_MEMORY
;
1981 if (!NT_STATUS_IS_OK(r_u
->status
= get_user_info_21(p
->mem_ctx
, ctr
->info
.id21
,
1982 &info
->sid
, &domain_sid
)))
1987 return NT_STATUS_INVALID_INFO_CLASS
;
1990 init_samr_r_query_userinfo(r_u
, ctr
, r_u
->status
);
1992 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__
));
1997 /*******************************************************************
1998 samr_reply_query_usergroups
1999 ********************************************************************/
2001 NTSTATUS
_samr_query_usergroups(pipes_struct
*p
, SAMR_Q_QUERY_USERGROUPS
*q_u
, SAMR_R_QUERY_USERGROUPS
*r_u
)
2003 SAM_ACCOUNT
*sam_pass
=NULL
;
2005 DOM_GID
*gids
= NULL
;
2011 * from the SID in the request:
2012 * we should send back the list of DOMAIN GROUPS
2013 * the user is a member of
2015 * and only the DOMAIN GROUPS
2016 * no ALIASES !!! neither aliases of the domain
2017 * nor aliases of the builtin SID
2022 r_u
->status
= NT_STATUS_OK
;
2024 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__
));
2026 /* find the policy handle. open a policy on it. */
2027 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &sid
, &acc_granted
))
2028 return NT_STATUS_INVALID_HANDLE
;
2030 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, USER_ACCESS_GET_GROUPS
, "_samr_query_usergroups"))) {
2034 if (!sid_check_is_in_our_domain(&sid
))
2035 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
2037 pdb_init_sam(&sam_pass
);
2040 ret
= pdb_getsampwsid(sam_pass
, &sid
);
2044 pdb_free_sam(&sam_pass
);
2045 return NT_STATUS_NO_SUCH_USER
;
2048 if(!get_domain_user_groups(p
->mem_ctx
, &num_groups
, &gids
, sam_pass
)) {
2049 pdb_free_sam(&sam_pass
);
2050 return NT_STATUS_NO_SUCH_GROUP
;
2053 /* construct the response. lkclXXXX: gids are not copied! */
2054 init_samr_r_query_usergroups(r_u
, num_groups
, gids
, r_u
->status
);
2056 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__
));
2058 pdb_free_sam(&sam_pass
);
2063 /*******************************************************************
2064 _samr_query_dom_info
2065 ********************************************************************/
2067 NTSTATUS
_samr_query_dom_info(pipes_struct
*p
, SAMR_Q_QUERY_DOMAIN_INFO
*q_u
, SAMR_R_QUERY_DOMAIN_INFO
*r_u
)
2069 struct samr_info
*info
= NULL
;
2071 uint32 min_pass_len
,pass_hist
,flag
;
2072 time_t u_expire
, u_min_age
;
2073 NTTIME nt_expire
, nt_min_age
;
2075 time_t u_lock_duration
, u_reset_time
;
2076 NTTIME nt_lock_duration
, nt_reset_time
;
2082 uint32 account_policy_temp
;
2084 uint32 num_users
=0, num_groups
=0, num_aliases
=0;
2086 if ((ctr
= (SAM_UNK_CTR
*)talloc_zero(p
->mem_ctx
, sizeof(SAM_UNK_CTR
))) == NULL
)
2087 return NT_STATUS_NO_MEMORY
;
2091 r_u
->status
= NT_STATUS_OK
;
2093 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__
));
2095 /* find the policy handle. open a policy on it. */
2096 if (!find_policy_by_hnd(p
, &q_u
->domain_pol
, (void **)&info
))
2097 return NT_STATUS_INVALID_HANDLE
;
2099 switch (q_u
->switch_value
) {
2102 account_policy_get(AP_MIN_PASSWORD_LEN
, &account_policy_temp
);
2103 min_pass_len
= account_policy_temp
;
2105 account_policy_get(AP_PASSWORD_HISTORY
, &account_policy_temp
);
2106 pass_hist
= account_policy_temp
;
2108 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS
, &account_policy_temp
);
2109 flag
= account_policy_temp
;
2111 account_policy_get(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
2112 u_expire
= account_policy_temp
;
2114 account_policy_get(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
2115 u_min_age
= account_policy_temp
;
2117 unix_to_nt_time_abs(&nt_expire
, u_expire
);
2118 unix_to_nt_time_abs(&nt_min_age
, u_min_age
);
2120 init_unk_info1(&ctr
->info
.inf1
, (uint16
)min_pass_len
, (uint16
)pass_hist
,
2121 flag
, nt_expire
, nt_min_age
);
2125 r_u
->status
=load_sampwd_entries(info
, ACB_NORMAL
);
2127 if (!NT_STATUS_IS_OK(r_u
->status
)) {
2128 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
2131 num_users
=info
->disp_info
.num_user_account
;
2134 r_u
->status
=load_group_domain_entries(info
, get_global_sam_sid());
2135 if (!NT_STATUS_IS_OK(r_u
->status
)) {
2136 DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
2139 num_groups
=info
->disp_info
.num_group_account
;
2142 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2143 init_unk_info2(&ctr
->info
.inf2
, global_myworkgroup
, global_myname
, (uint32
) time(NULL
),
2144 num_users
, num_groups
, num_aliases
);
2147 account_policy_get(AP_TIME_TO_LOGOUT
, (int *)&u_logout
);
2148 unix_to_nt_time_abs(&nt_logout
, u_logout
);
2150 init_unk_info3(&ctr
->info
.inf3
, nt_logout
);
2153 init_unk_info5(&ctr
->info
.inf5
, global_myname
);
2156 init_unk_info6(&ctr
->info
.inf6
);
2159 init_unk_info7(&ctr
->info
.inf7
);
2162 account_policy_get(AP_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
2163 u_lock_duration
= account_policy_temp
;
2165 account_policy_get(AP_RESET_COUNT_TIME
, &account_policy_temp
);
2166 u_reset_time
= account_policy_temp
;
2168 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
2169 lockout
= account_policy_temp
;
2171 unix_to_nt_time_abs(&nt_lock_duration
, u_lock_duration
);
2172 unix_to_nt_time_abs(&nt_reset_time
, u_reset_time
);
2174 init_unk_info12(&ctr
->info
.inf12
, nt_lock_duration
, nt_reset_time
, (uint16
)lockout
);
2177 return NT_STATUS_INVALID_INFO_CLASS
;
2180 init_samr_r_query_dom_info(r_u
, q_u
->switch_value
, ctr
, NT_STATUS_OK
);
2182 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__
));
2187 /*******************************************************************
2188 _api_samr_create_user
2189 Create an account, can be either a normal user or a machine.
2190 This funcion will need to be updated for bdc/domain trusts.
2191 ********************************************************************/
2193 NTSTATUS
_api_samr_create_user(pipes_struct
*p
, SAMR_Q_CREATE_USER
*q_u
, SAMR_R_CREATE_USER
*r_u
)
2195 SAM_ACCOUNT
*sam_pass
=NULL
;
2199 POLICY_HND dom_pol
= q_u
->domain_pol
;
2200 UNISTR2 user_account
= q_u
->uni_name
;
2201 uint16 acb_info
= q_u
->acb_info
;
2202 POLICY_HND
*user_pol
= &r_u
->user_pol
;
2203 struct samr_info
*info
= NULL
;
2212 /* Get the domain SID stored in the domain policy */
2213 if (!get_lsa_policy_samr_sid(p
, &dom_pol
, &sid
, &acc_granted
))
2214 return NT_STATUS_INVALID_HANDLE
;
2216 if (!NT_STATUS_IS_OK(nt_status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_CREATE_USER
, "_samr_create_user"))) {
2220 /* find the account: tell the caller if it exists.
2221 lkclXXXX i have *no* idea if this is a problem or not
2222 or even if you are supposed to construct a different
2223 reply if the account already exists...
2226 rpcstr_pull(account
, user_account
.buffer
, sizeof(account
), user_account
.uni_str_len
*2, 0);
2229 pdb_init_sam(&sam_pass
);
2232 ret
= pdb_getsampwnam(sam_pass
, account
);
2235 /* this account exists: say so */
2236 pdb_free_sam(&sam_pass
);
2237 return NT_STATUS_USER_EXISTS
;
2240 pdb_free_sam(&sam_pass
);
2243 * NB. VERY IMPORTANT ! This call must be done as the current pipe user,
2244 * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures
2245 * that only people with write access to the smbpasswd file will be able
2246 * to create a user. JRA.
2250 * add the user in the /etc/passwd file or the unix authority system.
2251 * We don't check if the smb_create_user() function succed or not for 2 reasons:
2252 * a) local_password_change() checks for us if the /etc/passwd account really exists
2253 * b) smb_create_user() would return an error if the account already exists
2254 * and as it could return an error also if it can't create the account, it would be tricky.
2256 * So we go the easy way, only check after if the account exists.
2257 * JFM (2/3/2001), to clear any possible bad understanding (-:
2259 * We now have seperate script paramaters for adding users/machines so we
2260 * now have some sainity-checking to match.
2263 DEBUG(10,("checking account %s at pos %d for $ termination\n",account
, strlen(account
)-1));
2265 if ((acb_info
& ACB_WSTRUST
) && (account
[strlen(account
)-1] == '$')) {
2266 pstrcpy(add_script
, lp_addmachine_script());
2267 } else if ((!(acb_info
& ACB_WSTRUST
)) && (account
[strlen(account
)-1] != '$')) {
2268 pstrcpy(add_script
, lp_adduser_script());
2270 DEBUG(0, ("_api_samr_create_user: mismatch between trust flags and $ termination\n"));
2271 pdb_free_sam(&sam_pass
);
2272 return NT_STATUS_UNSUCCESSFUL
;
2277 * we can't check both the ending $ and the acb_info.
2279 * UserManager creates trust accounts (ending in $,
2280 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2283 if (account
[strlen(account
)-1] == '$')
2284 pstrcpy(add_script
, lp_addmachine_script());
2286 pstrcpy(add_script
, lp_adduser_script());
2290 all_string_sub(add_script
, "%u", account
, sizeof(account
));
2291 add_ret
= smbrun(add_script
,NULL
);
2292 DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script
, add_ret
));
2295 pw
= getpwnam_alloc(account
);
2298 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_pw(&sam_pass
, pw
))) {
2302 passwd_free(&pw
); /* done with this now */
2304 DEBUG(3,("attempting to create non-unix account %s\n", account
));
2306 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam(&sam_pass
))) {
2310 if (!pdb_set_username(sam_pass
, account
)) {
2311 pdb_free_sam(&sam_pass
);
2312 return NT_STATUS_NO_MEMORY
;
2316 pdb_set_acct_ctrl(sam_pass
, acb_info
);
2318 if (!pdb_add_sam_account(sam_pass
)) {
2319 pdb_free_sam(&sam_pass
);
2320 DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n",
2322 return NT_STATUS_ACCESS_DENIED
;
2325 pdb_reset_sam(sam_pass
);
2327 if (!pdb_getsampwnam(sam_pass
, account
)) {
2328 pdb_free_sam(&sam_pass
);
2329 DEBUG(0, ("could not find user/computer %s just added to passdb?!?\n",
2331 return NT_STATUS_ACCESS_DENIED
;
2334 /* Get the user's SID */
2335 sid_copy(&sid
, pdb_get_user_sid(sam_pass
));
2337 samr_make_usr_obj_sd(p
->mem_ctx
, &psd
, &sd_size
, &sid
);
2338 se_map_generic(&des_access
, &usr_generic_mapping
);
2339 if (!NT_STATUS_IS_OK(nt_status
=
2340 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
2341 des_access
, &acc_granted
, "_samr_create_user"))) {
2345 /* associate the user's SID with the new handle. */
2346 if ((info
= get_samr_info_by_sid(&sid
)) == NULL
) {
2347 pdb_free_sam(&sam_pass
);
2348 return NT_STATUS_NO_MEMORY
;
2353 info
->acc_granted
= acc_granted
;
2355 /* get a (unique) handle. open a policy on it. */
2356 if (!create_policy_hnd(p
, user_pol
, free_samr_info
, (void *)info
)) {
2357 pdb_free_sam(&sam_pass
);
2358 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2361 r_u
->user_rid
=pdb_get_user_rid(sam_pass
);
2362 r_u
->unknown_0
= 0x000703ff;
2364 pdb_free_sam(&sam_pass
);
2366 return NT_STATUS_OK
;
2369 /*******************************************************************
2370 samr_reply_connect_anon
2371 ********************************************************************/
2373 NTSTATUS
_samr_connect_anon(pipes_struct
*p
, SAMR_Q_CONNECT_ANON
*q_u
, SAMR_R_CONNECT_ANON
*r_u
)
2375 struct samr_info
*info
= NULL
;
2379 if (!pipe_access_check(p
)) {
2380 DEBUG(3, ("access denied to samr_connect_anon\n"));
2381 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
2385 /* set up the SAMR connect_anon response */
2387 r_u
->status
= NT_STATUS_OK
;
2389 /* associate the user's SID with the new handle. */
2390 if ((info
= get_samr_info_by_sid(NULL
)) == NULL
)
2391 return NT_STATUS_NO_MEMORY
;
2393 info
->status
= q_u
->unknown_0
;
2395 /* get a (unique) handle. open a policy on it. */
2396 if (!create_policy_hnd(p
, &r_u
->connect_pol
, free_samr_info
, (void *)info
))
2397 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2402 /*******************************************************************
2404 ********************************************************************/
2406 NTSTATUS
_samr_connect(pipes_struct
*p
, SAMR_Q_CONNECT
*q_u
, SAMR_R_CONNECT
*r_u
)
2408 struct samr_info
*info
= NULL
;
2409 SEC_DESC
*psd
= NULL
;
2411 uint32 des_access
= q_u
->access_mask
;
2416 DEBUG(5,("_samr_connect: %d\n", __LINE__
));
2420 if (!pipe_access_check(p
)) {
2421 DEBUG(3, ("access denied to samr_connect\n"));
2422 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
2426 samr_make_sam_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
2427 se_map_generic(&des_access
, &sam_generic_mapping
);
2428 if (!NT_STATUS_IS_OK(nt_status
=
2429 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
2430 des_access
, &acc_granted
, "_samr_connect"))) {
2434 r_u
->status
= NT_STATUS_OK
;
2436 /* associate the user's SID and access granted with the new handle. */
2437 if ((info
= get_samr_info_by_sid(NULL
)) == NULL
)
2438 return NT_STATUS_NO_MEMORY
;
2440 info
->acc_granted
= acc_granted
;
2441 info
->status
= q_u
->access_mask
;
2443 /* get a (unique) handle. open a policy on it. */
2444 if (!create_policy_hnd(p
, &r_u
->connect_pol
, free_samr_info
, (void *)info
))
2445 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2447 DEBUG(5,("_samr_connect: %d\n", __LINE__
));
2452 /**********************************************************************
2453 api_samr_lookup_domain
2454 **********************************************************************/
2456 NTSTATUS
_samr_lookup_domain(pipes_struct
*p
, SAMR_Q_LOOKUP_DOMAIN
*q_u
, SAMR_R_LOOKUP_DOMAIN
*r_u
)
2458 struct samr_info
*info
;
2459 fstring domain_name
;
2462 r_u
->status
= NT_STATUS_OK
;
2464 if (!find_policy_by_hnd(p
, &q_u
->connect_pol
, (void**)&info
))
2465 return NT_STATUS_INVALID_HANDLE
;
2467 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(info
->acc_granted
, SAMR_ACCESS_OPEN_DOMAIN
, "_samr_lookup_domain"))) {
2471 rpcstr_pull(domain_name
, q_u
->uni_domain
.buffer
, sizeof(domain_name
), q_u
->uni_domain
.uni_str_len
*2, 0);
2475 if (!secrets_fetch_domain_sid(domain_name
, &sid
)) {
2476 r_u
->status
= NT_STATUS_NO_SUCH_DOMAIN
;
2479 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name
, sid_string_static(&sid
)));
2481 init_samr_r_lookup_domain(r_u
, &sid
, r_u
->status
);
2486 /******************************************************************
2487 makes a SAMR_R_ENUM_DOMAINS structure.
2488 ********************************************************************/
2490 static BOOL
make_enum_domains(TALLOC_CTX
*ctx
, SAM_ENTRY
**pp_sam
,
2491 UNISTR2
**pp_uni_name
, uint32 num_sam_entries
, fstring doms
[])
2497 DEBUG(5, ("make_enum_domains\n"));
2500 *pp_uni_name
= NULL
;
2502 if (num_sam_entries
== 0)
2505 sam
= (SAM_ENTRY
*)talloc_zero(ctx
, sizeof(SAM_ENTRY
)*num_sam_entries
);
2506 uni_name
= (UNISTR2
*)talloc_zero(ctx
, sizeof(UNISTR2
)*num_sam_entries
);
2508 if (sam
== NULL
|| uni_name
== NULL
)
2511 for (i
= 0; i
< num_sam_entries
; i
++) {
2512 int len
= doms
[i
] != NULL
? strlen(doms
[i
]) : 0;
2514 init_sam_entry(&sam
[i
], len
, 0);
2515 init_unistr2(&uni_name
[i
], doms
[i
], len
);
2519 *pp_uni_name
= uni_name
;
2524 /**********************************************************************
2525 api_samr_enum_domains
2526 **********************************************************************/
2528 NTSTATUS
_samr_enum_domains(pipes_struct
*p
, SAMR_Q_ENUM_DOMAINS
*q_u
, SAMR_R_ENUM_DOMAINS
*r_u
)
2530 struct samr_info
*info
;
2531 uint32 num_entries
= 2;
2535 r_u
->status
= NT_STATUS_OK
;
2537 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void**)&info
))
2538 return NT_STATUS_INVALID_HANDLE
;
2540 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(info
->acc_granted
, SAMR_ACCESS_ENUM_DOMAINS
, "_samr_enum_domains"))) {
2544 switch (lp_server_role()) {
2545 case ROLE_DOMAIN_PDC
:
2546 case ROLE_DOMAIN_BDC
:
2547 name
= global_myworkgroup
;
2550 name
= global_myname
;
2553 fstrcpy(dom
[0],name
);
2555 fstrcpy(dom
[1],"Builtin");
2557 if (!make_enum_domains(p
->mem_ctx
, &r_u
->sam
, &r_u
->uni_dom_name
, num_entries
, dom
))
2558 return NT_STATUS_NO_MEMORY
;
2560 init_samr_r_enum_domains(r_u
, q_u
->start_idx
+ num_entries
, num_entries
);
2565 /*******************************************************************
2567 ********************************************************************/
2569 NTSTATUS
_api_samr_open_alias(pipes_struct
*p
, SAMR_Q_OPEN_ALIAS
*q_u
, SAMR_R_OPEN_ALIAS
*r_u
)
2572 POLICY_HND domain_pol
= q_u
->dom_pol
;
2573 uint32 alias_rid
= q_u
->rid_alias
;
2574 POLICY_HND
*alias_pol
= &r_u
->pol
;
2575 struct samr_info
*info
= NULL
;
2576 SEC_DESC
*psd
= NULL
;
2578 uint32 des_access
= q_u
->access_mask
;
2582 r_u
->status
= NT_STATUS_OK
;
2584 /* find the domain policy and get the SID / access bits stored in the domain policy */
2585 if (!get_lsa_policy_samr_sid(p
, &domain_pol
, &sid
, &acc_granted
))
2586 return NT_STATUS_INVALID_HANDLE
;
2588 if (!NT_STATUS_IS_OK(status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_OPEN_ACCOUNT
, "_samr_open_alias"))) {
2592 /* append the alias' RID to it */
2593 if (!sid_append_rid(&sid
, alias_rid
))
2594 return NT_STATUS_NO_SUCH_USER
;
2596 /*check if access can be granted as requested by client. */
2597 samr_make_ali_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
2598 se_map_generic(&des_access
,&ali_generic_mapping
);
2599 if (!NT_STATUS_IS_OK(status
=
2600 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
2601 des_access
, &acc_granted
, "_samr_open_alias"))) {
2606 * we should check if the rid really exist !!!
2610 /* associate the user's SID with the new handle. */
2611 if ((info
= get_samr_info_by_sid(&sid
)) == NULL
)
2612 return NT_STATUS_NO_MEMORY
;
2614 info
->acc_granted
= acc_granted
;
2616 /* get a (unique) handle. open a policy on it. */
2617 if (!create_policy_hnd(p
, alias_pol
, free_samr_info
, (void *)info
))
2618 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2623 /*******************************************************************
2625 ********************************************************************/
2627 static BOOL
set_user_info_10(const SAM_USER_INFO_10
*id10
, DOM_SID
*sid
)
2629 SAM_ACCOUNT
*pwd
=NULL
;
2634 ret
= pdb_getsampwsid(pwd
, sid
);
2642 DEBUG(5, ("set_user_info_10: NULL id10\n"));
2647 if (!pdb_set_acct_ctrl(pwd
, id10
->acb_info
)) {
2652 if(!pdb_update_sam_account(pwd
)) {
2662 /*******************************************************************
2664 ********************************************************************/
2666 static BOOL
set_user_info_12(SAM_USER_INFO_12
*id12
, DOM_SID
*sid
)
2668 SAM_ACCOUNT
*pwd
= NULL
;
2672 if(!pdb_getsampwsid(pwd
, sid
)) {
2678 DEBUG(2, ("set_user_info_12: id12 is NULL\n"));
2683 if (!pdb_set_lanman_passwd (pwd
, id12
->lm_pwd
)) {
2687 if (!pdb_set_nt_passwd (pwd
, id12
->nt_pwd
)) {
2691 if (!pdb_set_pass_changed_now (pwd
)) {
2696 if(!pdb_update_sam_account(pwd
)) {
2705 /*******************************************************************
2707 ********************************************************************/
2709 static BOOL
set_user_info_21(SAM_USER_INFO_21
*id21
, DOM_SID
*sid
)
2711 SAM_ACCOUNT
*pwd
= NULL
;
2714 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2720 if (!pdb_getsampwsid(pwd
, sid
)) {
2725 copy_id21_to_sam_passwd(pwd
, id21
);
2728 * The funny part about the previous two calls is
2729 * that pwd still has the password hashes from the
2730 * passdb entry. These have not been updated from
2731 * id21. I don't know if they need to be set. --jerry
2734 /* write the change out */
2735 if(!pdb_update_sam_account(pwd
)) {
2745 /*******************************************************************
2747 ********************************************************************/
2749 static BOOL
set_user_info_23(SAM_USER_INFO_23
*id23
, DOM_SID
*sid
)
2751 SAM_ACCOUNT
*pwd
= NULL
;
2752 pstring plaintext_buf
;
2757 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2763 if (!pdb_getsampwsid(pwd
, sid
)) {
2768 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2769 pdb_get_username(pwd
)));
2771 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
2773 copy_id23_to_sam_passwd(pwd
, id23
);
2775 if (!decode_pw_buffer((char*)id23
->pass
, plaintext_buf
, 256, &len
)) {
2780 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
2785 /* if it's a trust account, don't update /etc/passwd */
2786 if ( (!IS_SAM_UNIX_USER(pwd
)) ||
2787 ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
2788 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
2789 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
2790 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2792 /* update the UNIX password */
2793 if (lp_unix_password_sync() )
2794 if(!chgpasswd(pdb_get_username(pwd
), "", plaintext_buf
, True
)) {
2800 ZERO_STRUCT(plaintext_buf
);
2802 if(!pdb_update_sam_account(pwd
)) {
2812 /*******************************************************************
2814 ********************************************************************/
2816 static BOOL
set_user_info_pw(char *pass
, DOM_SID
*sid
)
2818 SAM_ACCOUNT
*pwd
= NULL
;
2820 pstring plaintext_buf
;
2825 if (!pdb_getsampwsid(pwd
, sid
)) {
2830 DEBUG(5, ("Attempting administrator password change for user %s\n",
2831 pdb_get_username(pwd
)));
2833 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
2835 ZERO_STRUCT(plaintext_buf
);
2837 if (!decode_pw_buffer(pass
, plaintext_buf
, 256, &len
)) {
2842 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
2847 /* if it's a trust account, don't update /etc/passwd */
2848 if ( (!IS_SAM_UNIX_USER(pwd
)) ||
2849 ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
2850 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
2851 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
2852 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2854 /* update the UNIX password */
2855 if (lp_unix_password_sync()) {
2856 if(!chgpasswd(pdb_get_username(pwd
), "", plaintext_buf
, True
)) {
2863 ZERO_STRUCT(plaintext_buf
);
2865 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
2867 /* update the SAMBA password */
2868 if(!pdb_update_sam_account(pwd
)) {
2878 /*******************************************************************
2879 samr_reply_set_userinfo
2880 ********************************************************************/
2882 NTSTATUS
_samr_set_userinfo(pipes_struct
*p
, SAMR_Q_SET_USERINFO
*q_u
, SAMR_R_SET_USERINFO
*r_u
)
2885 POLICY_HND
*pol
= &q_u
->pol
;
2886 uint16 switch_value
= q_u
->switch_value
;
2887 SAM_USERINFO_CTR
*ctr
= q_u
->ctr
;
2889 uint32 acc_required
;
2891 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__
));
2893 r_u
->status
= NT_STATUS_OK
;
2895 /* find the policy handle. open a policy on it. */
2896 if (!get_lsa_policy_samr_sid(p
, pol
, &sid
, &acc_granted
))
2897 return NT_STATUS_INVALID_HANDLE
;
2899 acc_required
= USER_ACCESS_SET_LOC_COM
| USER_ACCESS_SET_ATTRIBUTES
; /* This is probably wrong */
2900 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, acc_required
, "_samr_set_userinfo"))) {
2904 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid
), switch_value
));
2907 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
2908 return NT_STATUS_INVALID_INFO_CLASS
;
2911 /* ok! user info levels (lots: see MSDEV help), off we go... */
2912 switch (switch_value
) {
2914 if (!set_user_info_12(ctr
->info
.id12
, &sid
))
2915 return NT_STATUS_ACCESS_DENIED
;
2919 SamOEMhash(ctr
->info
.id24
->pass
, p
->session_key
, 516);
2921 dump_data(100, (char *)ctr
->info
.id24
->pass
, 516);
2923 if (!set_user_info_pw((char *)ctr
->info
.id24
->pass
, &sid
))
2924 return NT_STATUS_ACCESS_DENIED
;
2930 * Currently we don't really know how to unmarshall
2931 * the level 25 struct, and the password encryption
2932 * is different. This is a placeholder for when we
2933 * do understand it. In the meantime just return INVALID
2934 * info level and W2K SP2 drops down to level 23... JRA.
2937 SamOEMhash(ctr
->info
.id25
->pass
, p
->session_key
, 532);
2939 dump_data(100, (char *)ctr
->info
.id25
->pass
, 532);
2941 if (!set_user_info_pw(ctr
->info
.id25
->pass
, &sid
))
2942 return NT_STATUS_ACCESS_DENIED
;
2945 return NT_STATUS_INVALID_INFO_CLASS
;
2948 SamOEMhash(ctr
->info
.id23
->pass
, p
->session_key
, 516);
2950 dump_data(100, (char *)ctr
->info
.id23
->pass
, 516);
2952 if (!set_user_info_23(ctr
->info
.id23
, &sid
))
2953 return NT_STATUS_ACCESS_DENIED
;
2957 return NT_STATUS_INVALID_INFO_CLASS
;
2963 /*******************************************************************
2964 samr_reply_set_userinfo2
2965 ********************************************************************/
2967 NTSTATUS
_samr_set_userinfo2(pipes_struct
*p
, SAMR_Q_SET_USERINFO2
*q_u
, SAMR_R_SET_USERINFO2
*r_u
)
2970 SAM_USERINFO_CTR
*ctr
= q_u
->ctr
;
2971 POLICY_HND
*pol
= &q_u
->pol
;
2972 uint16 switch_value
= q_u
->switch_value
;
2974 uint32 acc_required
;
2976 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__
));
2978 r_u
->status
= NT_STATUS_OK
;
2980 /* find the policy handle. open a policy on it. */
2981 if (!get_lsa_policy_samr_sid(p
, pol
, &sid
, &acc_granted
))
2982 return NT_STATUS_INVALID_HANDLE
;
2984 acc_required
= USER_ACCESS_SET_LOC_COM
| USER_ACCESS_SET_ATTRIBUTES
; /* This is probably wrong */
2985 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, acc_required
, "_samr_set_userinfo2"))) {
2989 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid
)));
2992 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
2993 return NT_STATUS_INVALID_INFO_CLASS
;
2996 switch_value
=ctr
->switch_value
;
2998 /* ok! user info levels (lots: see MSDEV help), off we go... */
2999 switch (switch_value
) {
3001 if (!set_user_info_21(ctr
->info
.id21
, &sid
))
3002 return NT_STATUS_ACCESS_DENIED
;
3005 if (!set_user_info_10(ctr
->info
.id10
, &sid
))
3006 return NT_STATUS_ACCESS_DENIED
;
3009 /* Used by AS/U JRA. */
3010 if (!set_user_info_12(ctr
->info
.id12
, &sid
))
3011 return NT_STATUS_ACCESS_DENIED
;
3014 return NT_STATUS_INVALID_INFO_CLASS
;
3020 /*********************************************************************
3021 _samr_query_aliasmem
3022 *********************************************************************/
3024 NTSTATUS
_samr_query_useraliases(pipes_struct
*p
, SAMR_Q_QUERY_USERALIASES
*q_u
, SAMR_R_QUERY_USERALIASES
*r_u
)
3026 int num_groups
= 0, tmp_num_groups
=0;
3027 uint32
*rids
=NULL
, *new_rids
=NULL
, *tmp_rids
=NULL
;
3028 struct samr_info
*info
= NULL
;
3030 /* until i see a real useraliases query, we fack one up */
3032 /* I have seen one, JFM 2/12/2001 */
3034 * Explanation of what this call does:
3035 * for all the SID given in the request:
3036 * return a list of alias (local groups)
3037 * that have those SID as members.
3039 * and that's the alias in the domain specified
3040 * in the policy_handle
3042 * if the policy handle is on an incorrect sid
3043 * for example a user's sid
3044 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
3047 r_u
->status
= NT_STATUS_OK
;
3049 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__
));
3051 /* find the policy handle. open a policy on it. */
3052 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
3053 return NT_STATUS_INVALID_HANDLE
;
3055 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(info
->acc_granted
, USER_ACCESS_GET_GROUPS
, "_samr_query_useraliases"))) {
3059 if (!sid_check_is_domain(&info
->sid
) &&
3060 !sid_check_is_builtin(&info
->sid
))
3061 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3064 for (i
=0; i
<q_u
->num_sids1
; i
++) {
3066 r_u
->status
=get_alias_user_groups(p
->mem_ctx
, &info
->sid
, &tmp_num_groups
, &tmp_rids
, &(q_u
->sid
[i
].sid
));
3069 * if there is an error, we just continue as
3070 * it can be an unfound user or group
3072 if (!NT_STATUS_IS_OK(r_u
->status
)) {
3073 DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n"));
3077 if (tmp_num_groups
==0) {
3078 DEBUG(10,("_samr_query_useraliases: no groups found\n"));
3082 new_rids
=(uint32
*)talloc_realloc(p
->mem_ctx
, rids
, (num_groups
+tmp_num_groups
)*sizeof(uint32
));
3083 if (new_rids
==NULL
) {
3084 DEBUG(0,("_samr_query_useraliases: could not realloc memory\n"));
3085 return NT_STATUS_NO_MEMORY
;
3089 for (j
=0; j
<tmp_num_groups
; j
++)
3090 rids
[j
+num_groups
]=tmp_rids
[j
];
3092 safe_free(tmp_rids
);
3094 num_groups
+=tmp_num_groups
;
3097 init_samr_r_query_useraliases(r_u
, num_groups
, rids
, NT_STATUS_OK
);
3098 return NT_STATUS_OK
;
3101 /*********************************************************************
3102 _samr_query_aliasmem
3103 *********************************************************************/
3105 NTSTATUS
_samr_query_aliasmem(pipes_struct
*p
, SAMR_Q_QUERY_ALIASMEM
*q_u
, SAMR_R_QUERY_ALIASMEM
*r_u
)
3117 fstring alias_sid_str
;
3120 SAM_ACCOUNT
*sam_user
= NULL
;
3124 /* find the policy handle. open a policy on it. */
3125 if (!get_lsa_policy_samr_sid(p
, &q_u
->alias_pol
, &alias_sid
, &acc_granted
))
3126 return NT_STATUS_INVALID_HANDLE
;
3128 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, ALIAS_ACCESS_GET_MEMBERS
, "_samr_query_aliasmem"))) {
3132 sid_copy(&als_sid
, &alias_sid
);
3133 sid_to_string(alias_sid_str
, &alias_sid
);
3134 sid_split_rid(&alias_sid
, &alias_rid
);
3136 DEBUG(10, ("sid is %s\n", alias_sid_str
));
3138 if (sid_equal(&alias_sid
, &global_sid_Builtin
)) {
3139 DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n"));
3140 if(!get_local_group_from_sid(als_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3141 return NT_STATUS_NO_SUCH_ALIAS
;
3143 if (sid_equal(&alias_sid
, get_global_sam_sid())) {
3144 DEBUG(10, ("lookup on Server SID\n"));
3145 if(!get_local_group_from_sid(als_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3146 return NT_STATUS_NO_SUCH_ALIAS
;
3150 if(!get_uid_list_of_group(map
.gid
, &uid
, &num_uids
))
3151 return NT_STATUS_NO_SUCH_ALIAS
;
3153 DEBUG(10, ("sid is %s\n", alias_sid_str
));
3154 sid
= (DOM_SID2
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_SID2
) * num_uids
);
3155 if (num_uids
!=0 && sid
== NULL
)
3156 return NT_STATUS_NO_MEMORY
;
3158 for (i
= 0; i
< num_uids
; i
++) {
3159 struct passwd
*pass
;
3162 sid_copy(&temp_sid
, get_global_sam_sid());
3164 pass
= getpwuid_alloc(uid
[i
]);
3165 if (!pass
) continue;
3167 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user
))) {
3173 check
= pdb_getsampwnam(sam_user
, pass
->pw_name
);
3176 if (check
!= True
) {
3177 pdb_free_sam(&sam_user
);
3182 rid
= pdb_get_user_rid(sam_user
);
3184 pdb_free_sam(&sam_user
);
3189 pdb_free_sam(&sam_user
);
3192 sid_append_rid(&temp_sid
, rid
);
3194 init_dom_sid2(&sid
[i
], &temp_sid
);
3197 DEBUG(10, ("sid is %s\n", alias_sid_str
));
3198 init_samr_r_query_aliasmem(r_u
, num_uids
, sid
, NT_STATUS_OK
);
3200 return NT_STATUS_OK
;
3203 /*********************************************************************
3204 _samr_query_groupmem
3205 *********************************************************************/
3207 NTSTATUS
_samr_query_groupmem(pipes_struct
*p
, SAMR_Q_QUERY_GROUPMEM
*q_u
, SAMR_R_QUERY_GROUPMEM
*r_u
)
3213 fstring group_sid_str
;
3221 SAM_ACCOUNT
*sam_user
= NULL
;
3225 /* find the policy handle. open a policy on it. */
3226 if (!get_lsa_policy_samr_sid(p
, &q_u
->group_pol
, &group_sid
, &acc_granted
))
3227 return NT_STATUS_INVALID_HANDLE
;
3229 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, GROUP_ACCESS_GET_MEMBERS
, "_samr_query_groupmem"))) {
3233 /* todo: change to use sid_compare_front */
3235 sid_split_rid(&group_sid
, &group_rid
);
3236 sid_to_string(group_sid_str
, &group_sid
);
3237 DEBUG(10, ("sid is %s\n", group_sid_str
));
3239 /* can we get a query for an SID outside our domain ? */
3240 if (!sid_equal(&group_sid
, get_global_sam_sid()))
3241 return NT_STATUS_NO_SUCH_GROUP
;
3243 sid_append_rid(&group_sid
, group_rid
);
3244 DEBUG(10, ("lookup on Domain SID\n"));
3246 if(!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3247 return NT_STATUS_NO_SUCH_GROUP
;
3249 if(!get_uid_list_of_group(map
.gid
, &uid
, &num_uids
))
3250 return NT_STATUS_NO_SUCH_GROUP
;
3252 rid
=talloc_zero(p
->mem_ctx
, sizeof(uint32
)*num_uids
);
3253 attr
=talloc_zero(p
->mem_ctx
, sizeof(uint32
)*num_uids
);
3255 if (num_uids
!=0 && (rid
==NULL
|| attr
==NULL
))
3256 return NT_STATUS_NO_MEMORY
;
3258 for (i
=0; i
<num_uids
; i
++) {
3259 struct passwd
*pass
;
3262 pass
= getpwuid_alloc(uid
[i
]);
3263 if (!pass
) continue;
3265 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user
))) {
3271 check
= pdb_getsampwnam(sam_user
, pass
->pw_name
);
3274 if (check
!= True
) {
3275 pdb_free_sam(&sam_user
);
3280 urid
= pdb_get_user_rid(sam_user
);
3282 pdb_free_sam(&sam_user
);
3287 pdb_free_sam(&sam_user
);
3291 attr
[i
] = SID_NAME_USER
;
3294 init_samr_r_query_groupmem(r_u
, num_uids
, rid
, attr
, NT_STATUS_OK
);
3296 return NT_STATUS_OK
;
3299 /*********************************************************************
3301 *********************************************************************/
3303 NTSTATUS
_samr_add_aliasmem(pipes_struct
*p
, SAMR_Q_ADD_ALIASMEM
*q_u
, SAMR_R_ADD_ALIASMEM
*r_u
)
3306 fstring alias_sid_str
;
3313 SAM_ACCOUNT
*sam_user
= NULL
;
3317 /* Find the policy handle. Open a policy on it. */
3318 if (!get_lsa_policy_samr_sid(p
, &q_u
->alias_pol
, &alias_sid
, &acc_granted
))
3319 return NT_STATUS_INVALID_HANDLE
;
3321 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, ALIAS_ACCESS_ADD_MEMBER
, "_samr_add_aliasmem"))) {
3325 sid_to_string(alias_sid_str
, &alias_sid
);
3326 DEBUG(10, ("sid is %s\n", alias_sid_str
));
3328 if (sid_compare(&alias_sid
, get_global_sam_sid())>0) {
3329 DEBUG(10, ("adding member on Server SID\n"));
3330 if(!get_local_group_from_sid(alias_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3331 return NT_STATUS_NO_SUCH_ALIAS
;
3334 if (sid_compare(&alias_sid
, &global_sid_Builtin
)>0) {
3335 DEBUG(10, ("adding member on BUILTIN SID\n"));
3336 if( !get_local_group_from_sid(alias_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3337 return NT_STATUS_NO_SUCH_ALIAS
;
3340 return NT_STATUS_NO_SUCH_ALIAS
;
3343 ret
= pdb_init_sam(&sam_user
);
3344 if (!NT_STATUS_IS_OK(ret
))
3347 check
= pdb_getsampwsid(sam_user
, &q_u
->sid
.sid
);
3349 if (check
!= True
) {
3350 pdb_free_sam(&sam_user
);
3351 return NT_STATUS_NO_SUCH_USER
;
3354 uid
= pdb_get_uid(sam_user
);
3356 pdb_free_sam(&sam_user
);
3357 return NT_STATUS_NO_SUCH_USER
;
3360 pdb_free_sam(&sam_user
);
3362 if ((pwd
=getpwuid_alloc(uid
)) == NULL
) {
3363 return NT_STATUS_NO_SUCH_USER
;
3368 if ((grp
=getgrgid(map
.gid
)) == NULL
)
3369 return NT_STATUS_NO_SUCH_ALIAS
;
3371 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3372 fstrcpy(grp_name
, grp
->gr_name
);
3374 /* if the user is already in the group */
3375 if(user_in_group_list(pwd
->pw_name
, grp_name
))
3376 return NT_STATUS_MEMBER_IN_ALIAS
;
3379 * ok, the group exist, the user exist, the user is not in the group,
3380 * we can (finally) add it to the group !
3382 smb_add_user_group(grp_name
, pwd
->pw_name
);
3384 /* check if the user has been added then ... */
3385 if(!user_in_group_list(pwd
->pw_name
, grp_name
))
3386 return NT_STATUS_MEMBER_NOT_IN_ALIAS
; /* don't know what to reply else */
3388 return NT_STATUS_OK
;
3391 /*********************************************************************
3393 *********************************************************************/
3395 NTSTATUS
_samr_del_aliasmem(pipes_struct
*p
, SAMR_Q_DEL_ALIASMEM
*q_u
, SAMR_R_DEL_ALIASMEM
*r_u
)
3398 fstring alias_sid_str
;
3402 SAM_ACCOUNT
*sam_pass
=NULL
;
3405 /* Find the policy handle. Open a policy on it. */
3406 if (!get_lsa_policy_samr_sid(p
, &q_u
->alias_pol
, &alias_sid
, &acc_granted
))
3407 return NT_STATUS_INVALID_HANDLE
;
3409 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, ALIAS_ACCESS_REMOVE_MEMBER
, "_samr_del_aliasmem"))) {
3413 sid_to_string(alias_sid_str
, &alias_sid
);
3414 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str
));
3416 if (!sid_check_is_in_our_domain(&alias_sid
) &&
3417 !sid_check_is_in_builtin(&alias_sid
)) {
3418 DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n"));
3419 return NT_STATUS_NO_SUCH_ALIAS
;
3422 if( !get_local_group_from_sid(alias_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3423 return NT_STATUS_NO_SUCH_ALIAS
;
3425 if ((grp
=getgrgid(map
.gid
)) == NULL
)
3426 return NT_STATUS_NO_SUCH_ALIAS
;
3428 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3429 fstrcpy(grp_name
, grp
->gr_name
);
3431 /* check if the user exists before trying to remove it from the group */
3432 pdb_init_sam(&sam_pass
);
3433 if(!pdb_getsampwsid(sam_pass
, &q_u
->sid
.sid
)) {
3434 DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass
)));
3435 pdb_free_sam(&sam_pass
);
3436 return NT_STATUS_NO_SUCH_USER
;
3439 /* if the user is not in the group */
3440 if(!user_in_group_list(pdb_get_username(sam_pass
), grp_name
)) {
3441 pdb_free_sam(&sam_pass
);
3442 return NT_STATUS_MEMBER_IN_ALIAS
;
3445 smb_delete_user_group(grp_name
, pdb_get_username(sam_pass
));
3447 /* check if the user has been removed then ... */
3448 if(user_in_group_list(pdb_get_username(sam_pass
), grp_name
)) {
3449 pdb_free_sam(&sam_pass
);
3450 return NT_STATUS_MEMBER_NOT_IN_ALIAS
; /* don't know what to reply else */
3453 pdb_free_sam(&sam_pass
);
3454 return NT_STATUS_OK
;
3457 /*********************************************************************
3459 *********************************************************************/
3461 NTSTATUS
_samr_add_groupmem(pipes_struct
*p
, SAMR_Q_ADD_GROUPMEM
*q_u
, SAMR_R_ADD_GROUPMEM
*r_u
)
3465 fstring group_sid_str
;
3472 SAM_ACCOUNT
*sam_user
;
3476 /* Find the policy handle. Open a policy on it. */
3477 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &group_sid
, &acc_granted
))
3478 return NT_STATUS_INVALID_HANDLE
;
3480 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, GROUP_ACCESS_ADD_MEMBER
, "_samr_add_groupmem"))) {
3484 sid_to_string(group_sid_str
, &group_sid
);
3485 DEBUG(10, ("sid is %s\n", group_sid_str
));
3487 if (sid_compare(&group_sid
, get_global_sam_sid())<=0)
3488 return NT_STATUS_NO_SUCH_GROUP
;
3490 DEBUG(10, ("lookup on Domain SID\n"));
3492 if(!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3493 return NT_STATUS_NO_SUCH_GROUP
;
3495 sid_copy(&user_sid
, get_global_sam_sid());
3496 sid_append_rid(&user_sid
, q_u
->rid
);
3498 ret
= pdb_init_sam(&sam_user
);
3499 if (!NT_STATUS_IS_OK(ret
))
3502 check
= pdb_getsampwsid(sam_user
, &user_sid
);
3504 if (check
!= True
) {
3505 pdb_free_sam(&sam_user
);
3506 return NT_STATUS_NO_SUCH_USER
;
3509 uid
= pdb_get_uid(sam_user
);
3511 pdb_free_sam(&sam_user
);
3512 return NT_STATUS_NO_SUCH_USER
;
3515 pdb_free_sam(&sam_user
);
3517 if ((pwd
=getpwuid_alloc(uid
)) == NULL
) {
3518 return NT_STATUS_NO_SUCH_USER
;
3523 if ((grp
=getgrgid(map
.gid
)) == NULL
)
3524 return NT_STATUS_NO_SUCH_GROUP
;
3526 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3527 fstrcpy(grp_name
, grp
->gr_name
);
3529 /* if the user is already in the group */
3530 if(user_in_group_list(pwd
->pw_name
, grp_name
))
3531 return NT_STATUS_MEMBER_IN_GROUP
;
3534 * ok, the group exist, the user exist, the user is not in the group,
3536 * we can (finally) add it to the group !
3539 smb_add_user_group(grp_name
, pwd
->pw_name
);
3541 /* check if the user has been added then ... */
3542 if(!user_in_group_list(pwd
->pw_name
, grp_name
))
3543 return NT_STATUS_MEMBER_NOT_IN_GROUP
; /* don't know what to reply else */
3545 return NT_STATUS_OK
;
3548 /*********************************************************************
3550 *********************************************************************/
3552 NTSTATUS
_samr_del_groupmem(pipes_struct
*p
, SAMR_Q_DEL_GROUPMEM
*q_u
, SAMR_R_DEL_GROUPMEM
*r_u
)
3556 SAM_ACCOUNT
*sam_pass
=NULL
;
3563 * delete the group member named q_u->rid
3564 * who is a member of the sid associated with the handle
3565 * the rid is a user's rid as the group is a domain group.
3568 /* Find the policy handle. Open a policy on it. */
3569 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &group_sid
, &acc_granted
))
3570 return NT_STATUS_INVALID_HANDLE
;
3572 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, GROUP_ACCESS_REMOVE_MEMBER
, "_samr_del_groupmem"))) {
3576 if (!sid_check_is_in_our_domain(&group_sid
))
3577 return NT_STATUS_NO_SUCH_GROUP
;
3579 sid_copy(&user_sid
, get_global_sam_sid());
3580 sid_append_rid(&user_sid
, q_u
->rid
);
3582 if (!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3583 return NT_STATUS_NO_SUCH_GROUP
;
3585 if ((grp
=getgrgid(map
.gid
)) == NULL
)
3586 return NT_STATUS_NO_SUCH_GROUP
;
3588 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3589 fstrcpy(grp_name
, grp
->gr_name
);
3591 /* check if the user exists before trying to remove it from the group */
3592 pdb_init_sam(&sam_pass
);
3593 if (!pdb_getsampwsid(sam_pass
, &user_sid
)) {
3594 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass
)));
3595 pdb_free_sam(&sam_pass
);
3596 return NT_STATUS_NO_SUCH_USER
;
3599 /* if the user is not in the group */
3600 if (!user_in_group_list(pdb_get_username(sam_pass
), grp_name
)) {
3601 pdb_free_sam(&sam_pass
);
3602 return NT_STATUS_MEMBER_NOT_IN_GROUP
;
3605 smb_delete_user_group(grp_name
, pdb_get_username(sam_pass
));
3607 /* check if the user has been removed then ... */
3608 if (user_in_group_list(pdb_get_username(sam_pass
), grp_name
)) {
3609 pdb_free_sam(&sam_pass
);
3610 return NT_STATUS_ACCESS_DENIED
; /* don't know what to reply else */
3613 pdb_free_sam(&sam_pass
);
3614 return NT_STATUS_OK
;
3618 /****************************************************************************
3619 Delete a UNIX user on demand.
3620 ****************************************************************************/
3622 static int smb_delete_user(const char *unix_user
)
3627 pstrcpy(del_script
, lp_deluser_script());
3630 all_string_sub(del_script
, "%u", unix_user
, sizeof(pstring
));
3631 ret
= smbrun(del_script
,NULL
);
3632 DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script
,ret
));
3636 /*********************************************************************
3637 _samr_delete_dom_user
3638 *********************************************************************/
3640 NTSTATUS
_samr_delete_dom_user(pipes_struct
*p
, SAMR_Q_DELETE_DOM_USER
*q_u
, SAMR_R_DELETE_DOM_USER
*r_u
)
3643 SAM_ACCOUNT
*sam_pass
=NULL
;
3646 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__
));
3648 /* Find the policy handle. Open a policy on it. */
3649 if (!get_lsa_policy_samr_sid(p
, &q_u
->user_pol
, &user_sid
, &acc_granted
))
3650 return NT_STATUS_INVALID_HANDLE
;
3652 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DELETE_ACCESS
, "_samr_delete_dom_user"))) {
3656 if (!sid_check_is_in_our_domain(&user_sid
))
3657 return NT_STATUS_CANNOT_DELETE
;
3659 /* check if the user exists before trying to delete */
3660 pdb_init_sam(&sam_pass
);
3661 if(!pdb_getsampwsid(sam_pass
, &user_sid
)) {
3662 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", pdb_get_username(sam_pass
)));
3663 pdb_free_sam(&sam_pass
);
3664 return NT_STATUS_NO_SUCH_USER
;
3667 /* delete the unix side */
3669 * note: we don't check if the delete really happened
3670 * as the script is not necessary present
3671 * and maybe the sysadmin doesn't want to delete the unix side
3673 smb_delete_user(pdb_get_username(sam_pass
));
3675 /* and delete the samba side */
3676 if (!pdb_delete_sam_account(sam_pass
)) {
3677 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass
)));
3678 pdb_free_sam(&sam_pass
);
3679 return NT_STATUS_CANNOT_DELETE
;
3682 pdb_free_sam(&sam_pass
);
3684 if (!close_policy_hnd(p
, &q_u
->user_pol
))
3685 return NT_STATUS_OBJECT_NAME_INVALID
;
3687 return NT_STATUS_OK
;
3690 /*********************************************************************
3691 _samr_delete_dom_group
3692 *********************************************************************/
3694 NTSTATUS
_samr_delete_dom_group(pipes_struct
*p
, SAMR_Q_DELETE_DOM_GROUP
*q_u
, SAMR_R_DELETE_DOM_GROUP
*r_u
)
3699 fstring group_sid_str
;
3705 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__
));
3707 /* Find the policy handle. Open a policy on it. */
3708 if (!get_lsa_policy_samr_sid(p
, &q_u
->group_pol
, &group_sid
, &acc_granted
))
3709 return NT_STATUS_INVALID_HANDLE
;
3711 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DELETE_ACCESS
, "_samr_delete_dom_group"))) {
3715 sid_copy(&dom_sid
, &group_sid
);
3716 sid_to_string(group_sid_str
, &dom_sid
);
3717 sid_split_rid(&dom_sid
, &group_rid
);
3719 DEBUG(10, ("sid is %s\n", group_sid_str
));
3721 /* we check if it's our SID before deleting */
3722 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
3723 return NT_STATUS_NO_SUCH_GROUP
;
3725 DEBUG(10, ("lookup on Domain SID\n"));
3727 if(!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3728 return NT_STATUS_NO_SUCH_GROUP
;
3732 /* check if group really exists */
3733 if ( (grp
=getgrgid(gid
)) == NULL
)
3734 return NT_STATUS_NO_SUCH_GROUP
;
3736 /* we can delete the UNIX group */
3737 smb_delete_group(grp
->gr_name
);
3739 /* check if the group has been successfully deleted */
3740 if ( (grp
=getgrgid(gid
)) != NULL
)
3741 return NT_STATUS_ACCESS_DENIED
;
3743 if(!group_map_remove(group_sid
))
3744 return NT_STATUS_ACCESS_DENIED
;
3746 if (!close_policy_hnd(p
, &q_u
->group_pol
))
3747 return NT_STATUS_OBJECT_NAME_INVALID
;
3749 return NT_STATUS_OK
;
3752 /*********************************************************************
3753 _samr_delete_dom_alias
3754 *********************************************************************/
3756 NTSTATUS
_samr_delete_dom_alias(pipes_struct
*p
, SAMR_Q_DELETE_DOM_ALIAS
*q_u
, SAMR_R_DELETE_DOM_ALIAS
*r_u
)
3761 fstring alias_sid_str
;
3767 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__
));
3769 /* Find the policy handle. Open a policy on it. */
3770 if (!get_lsa_policy_samr_sid(p
, &q_u
->alias_pol
, &alias_sid
, &acc_granted
))
3771 return NT_STATUS_INVALID_HANDLE
;
3773 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DELETE_ACCESS
, "_samr_delete_dom_alias"))) {
3777 sid_copy(&dom_sid
, &alias_sid
);
3778 sid_to_string(alias_sid_str
, &dom_sid
);
3779 sid_split_rid(&dom_sid
, &alias_rid
);
3781 DEBUG(10, ("sid is %s\n", alias_sid_str
));
3783 /* we check if it's our SID before deleting */
3784 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
3785 return NT_STATUS_NO_SUCH_ALIAS
;
3787 DEBUG(10, ("lookup on Local SID\n"));
3789 if(!get_local_group_from_sid(alias_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3790 return NT_STATUS_NO_SUCH_ALIAS
;
3794 /* check if group really exists */
3795 if ( (grp
=getgrgid(gid
)) == NULL
)
3796 return NT_STATUS_NO_SUCH_ALIAS
;
3798 /* we can delete the UNIX group */
3799 smb_delete_group(grp
->gr_name
);
3801 /* check if the group has been successfully deleted */
3802 if ( (grp
=getgrgid(gid
)) != NULL
)
3803 return NT_STATUS_ACCESS_DENIED
;
3805 /* don't check if we removed it as it could be an un-mapped group */
3806 group_map_remove(alias_sid
);
3808 if (!close_policy_hnd(p
, &q_u
->alias_pol
))
3809 return NT_STATUS_OBJECT_NAME_INVALID
;
3811 return NT_STATUS_OK
;
3814 /*********************************************************************
3815 _samr_create_dom_group
3816 *********************************************************************/
3818 NTSTATUS
_samr_create_dom_group(pipes_struct
*p
, SAMR_Q_CREATE_DOM_GROUP
*q_u
, SAMR_R_CREATE_DOM_GROUP
*r_u
)
3825 struct samr_info
*info
;
3826 PRIVILEGE_SET priv_set
;
3829 init_privilege(&priv_set
);
3831 /* Find the policy handle. Open a policy on it. */
3832 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &dom_sid
, &acc_granted
))
3833 return NT_STATUS_INVALID_HANDLE
;
3835 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_CREATE_GROUP
, "_samr_create_dom_group"))) {
3839 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
3840 return NT_STATUS_ACCESS_DENIED
;
3842 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3844 unistr2_to_ascii(name
, &q_u
->uni_acct_desc
, sizeof(name
)-1);
3846 /* check if group already exist */
3847 if ((grp
=getgrnam(name
)) != NULL
)
3848 return NT_STATUS_GROUP_EXISTS
;
3850 /* we can create the UNIX group */
3851 smb_create_group(name
);
3853 /* check if the group has been successfully created */
3854 if ((grp
=getgrnam(name
)) == NULL
)
3855 return NT_STATUS_ACCESS_DENIED
;
3857 r_u
->rid
=pdb_gid_to_group_rid(grp
->gr_gid
);
3859 /* add the group to the mapping table */
3860 sid_copy(&info_sid
, get_global_sam_sid());
3861 sid_append_rid(&info_sid
, r_u
->rid
);
3862 sid_to_string(sid_string
, &info_sid
);
3864 if(!add_initial_entry(grp
->gr_gid
, sid_string
, SID_NAME_DOM_GRP
, name
, NULL
, priv_set
, PR_ACCESS_FROM_NETWORK
))
3865 return NT_STATUS_ACCESS_DENIED
;
3867 if ((info
= get_samr_info_by_sid(&info_sid
)) == NULL
)
3868 return NT_STATUS_NO_MEMORY
;
3870 /* get a (unique) handle. open a policy on it. */
3871 if (!create_policy_hnd(p
, &r_u
->pol
, free_samr_info
, (void *)info
))
3872 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3874 return NT_STATUS_OK
;
3877 /*********************************************************************
3878 _samr_create_dom_alias
3879 *********************************************************************/
3881 NTSTATUS
_samr_create_dom_alias(pipes_struct
*p
, SAMR_Q_CREATE_DOM_ALIAS
*q_u
, SAMR_R_CREATE_DOM_ALIAS
*r_u
)
3888 struct samr_info
*info
;
3889 PRIVILEGE_SET priv_set
;
3892 init_privilege(&priv_set
);
3894 /* Find the policy handle. Open a policy on it. */
3895 if (!get_lsa_policy_samr_sid(p
, &q_u
->dom_pol
, &dom_sid
, &acc_granted
))
3896 return NT_STATUS_INVALID_HANDLE
;
3898 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_CREATE_ALIAS
, "_samr_create_alias"))) {
3902 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
3903 return NT_STATUS_ACCESS_DENIED
;
3905 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3907 unistr2_to_ascii(name
, &q_u
->uni_acct_desc
, sizeof(name
)-1);
3909 /* check if group already exists */
3910 if ( (grp
=getgrnam(name
)) != NULL
)
3911 return NT_STATUS_GROUP_EXISTS
;
3913 /* we can create the UNIX group */
3914 smb_create_group(name
);
3916 /* check if the group has been successfully created */
3917 if ((grp
=getgrnam(name
)) == NULL
)
3918 return NT_STATUS_ACCESS_DENIED
;
3920 r_u
->rid
=pdb_gid_to_group_rid(grp
->gr_gid
);
3922 sid_copy(&info_sid
, get_global_sam_sid());
3923 sid_append_rid(&info_sid
, r_u
->rid
);
3924 sid_to_string(sid_string
, &info_sid
);
3926 /* add the group to the mapping table */
3927 if(!add_initial_entry(grp
->gr_gid
, sid_string
, SID_NAME_ALIAS
, name
, NULL
, priv_set
, PR_ACCESS_FROM_NETWORK
))
3928 return NT_STATUS_ACCESS_DENIED
;
3930 if ((info
= get_samr_info_by_sid(&info_sid
)) == NULL
)
3931 return NT_STATUS_NO_MEMORY
;
3933 /* get a (unique) handle. open a policy on it. */
3934 if (!create_policy_hnd(p
, &r_u
->alias_pol
, free_samr_info
, (void *)info
))
3935 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3937 return NT_STATUS_OK
;
3940 /*********************************************************************
3941 _samr_query_groupinfo
3943 sends the name/comment pair of a domain group
3944 level 1 send also the number of users of that group
3945 *********************************************************************/
3947 NTSTATUS
_samr_query_groupinfo(pipes_struct
*p
, SAMR_Q_QUERY_GROUPINFO
*q_u
, SAMR_R_QUERY_GROUPINFO
*r_u
)
3953 GROUP_INFO_CTR
*ctr
;
3956 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &group_sid
, &acc_granted
))
3957 return NT_STATUS_INVALID_HANDLE
;
3959 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, GROUP_ACCESS_LOOKUP_INFO
, "_samr_query_groupinfo"))) {
3963 if (!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITHOUT_PRIV
))
3964 return NT_STATUS_INVALID_HANDLE
;
3966 ctr
=(GROUP_INFO_CTR
*)talloc_zero(p
->mem_ctx
, sizeof(GROUP_INFO_CTR
));
3968 return NT_STATUS_NO_MEMORY
;
3970 switch (q_u
->switch_level
) {
3972 ctr
->switch_value1
= 1;
3973 if(!get_uid_list_of_group(map
.gid
, &uid
, &num_uids
))
3974 return NT_STATUS_NO_SUCH_GROUP
;
3975 init_samr_group_info1(&ctr
->group
.info1
, map
.nt_name
, map
.comment
, num_uids
);
3979 ctr
->switch_value1
= 3;
3980 init_samr_group_info3(&ctr
->group
.info3
);
3983 ctr
->switch_value1
= 4;
3984 init_samr_group_info4(&ctr
->group
.info4
, map
.comment
);
3987 return NT_STATUS_INVALID_INFO_CLASS
;
3990 init_samr_r_query_groupinfo(r_u
, ctr
, NT_STATUS_OK
);
3992 return NT_STATUS_OK
;
3995 /*********************************************************************
3998 update a domain group's comment.
3999 *********************************************************************/
4001 NTSTATUS
_samr_set_groupinfo(pipes_struct
*p
, SAMR_Q_SET_GROUPINFO
*q_u
, SAMR_R_SET_GROUPINFO
*r_u
)
4005 GROUP_INFO_CTR
*ctr
;
4008 if (!get_lsa_policy_samr_sid(p
, &q_u
->pol
, &group_sid
, &acc_granted
))
4009 return NT_STATUS_INVALID_HANDLE
;
4011 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, GROUP_ACCESS_SET_INFO
, "_samr_set_groupinfo"))) {
4015 if (!get_domain_group_from_sid(group_sid
, &map
, MAPPING_WITH_PRIV
))
4016 return NT_STATUS_NO_SUCH_GROUP
;
4020 switch (ctr
->switch_value1
) {
4022 unistr2_to_ascii(map
.comment
, &(ctr
->group
.info1
.uni_acct_desc
), sizeof(map
.comment
)-1);
4025 unistr2_to_ascii(map
.comment
, &(ctr
->group
.info4
.uni_acct_desc
), sizeof(map
.comment
)-1);
4028 free_privilege(&map
.priv_set
);
4029 return NT_STATUS_INVALID_INFO_CLASS
;
4032 if(!add_mapping_entry(&map
, TDB_REPLACE
)) {
4033 free_privilege(&map
.priv_set
);
4034 return NT_STATUS_NO_SUCH_GROUP
;
4037 free_privilege(&map
.priv_set
);
4039 return NT_STATUS_OK
;
4042 /*********************************************************************
4045 update a domain group's comment.
4046 *********************************************************************/
4048 NTSTATUS
_samr_set_aliasinfo(pipes_struct
*p
, SAMR_Q_SET_ALIASINFO
*q_u
, SAMR_R_SET_ALIASINFO
*r_u
)
4052 ALIAS_INFO_CTR
*ctr
;
4055 if (!get_lsa_policy_samr_sid(p
, &q_u
->alias_pol
, &group_sid
, &acc_granted
))
4056 return NT_STATUS_INVALID_HANDLE
;
4058 if (!NT_STATUS_IS_OK(r_u
->status
= access_check_samr_function(acc_granted
, ALIAS_ACCESS_SET_INFO
, "_samr_set_aliasinfo"))) {
4062 if (!get_local_group_from_sid(group_sid
, &map
, MAPPING_WITH_PRIV
))
4063 return NT_STATUS_NO_SUCH_GROUP
;
4067 switch (ctr
->switch_value1
) {
4069 unistr2_to_ascii(map
.comment
, &(ctr
->alias
.info3
.uni_acct_desc
), sizeof(map
.comment
)-1);
4072 free_privilege(&map
.priv_set
);
4073 return NT_STATUS_INVALID_INFO_CLASS
;
4076 if(!add_mapping_entry(&map
, TDB_REPLACE
)) {
4077 free_privilege(&map
.priv_set
);
4078 return NT_STATUS_NO_SUCH_GROUP
;
4081 free_privilege(&map
.priv_set
);
4083 return NT_STATUS_OK
;
4086 /*********************************************************************
4087 _samr_get_dom_pwinfo
4088 *********************************************************************/
4090 NTSTATUS
_samr_get_dom_pwinfo(pipes_struct
*p
, SAMR_Q_GET_DOM_PWINFO
*q_u
, SAMR_R_GET_DOM_PWINFO
*r_u
)
4092 /* Perform access check. Since this rpc does not require a
4093 policy handle it will not be caught by the access checks on
4094 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4096 if (!pipe_access_check(p
)) {
4097 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4098 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
4102 /* Actually, returning zeros here works quite well :-). */
4104 return NT_STATUS_OK
;
4107 /*********************************************************************
4109 *********************************************************************/
4111 NTSTATUS
_samr_open_group(pipes_struct
*p
, SAMR_Q_OPEN_GROUP
*q_u
, SAMR_R_OPEN_GROUP
*r_u
)
4116 struct samr_info
*info
;
4117 SEC_DESC
*psd
= NULL
;
4124 if (!get_lsa_policy_samr_sid(p
, &q_u
->domain_pol
, &sid
, &acc_granted
))
4125 return NT_STATUS_INVALID_HANDLE
;
4127 if (!NT_STATUS_IS_OK(status
= access_check_samr_function(acc_granted
, DOMAIN_ACCESS_OPEN_ACCOUNT
, "_samr_open_group"))) {
4131 /*check if access can be granted as requested by client. */
4132 samr_make_grp_obj_sd(p
->mem_ctx
, &psd
, &sd_size
);
4133 se_map_generic(&des_access
,&grp_generic_mapping
);
4134 if (!NT_STATUS_IS_OK(status
=
4135 access_check_samr_object(psd
, p
->pipe_user
.nt_user_token
,
4136 des_access
, &acc_granted
, "_samr_open_group"))) {
4141 /* this should not be hard-coded like this */
4142 if (!sid_equal(&sid
, get_global_sam_sid()))
4143 return NT_STATUS_ACCESS_DENIED
;
4145 sid_copy(&info_sid
, get_global_sam_sid());
4146 sid_append_rid(&info_sid
, q_u
->rid_group
);
4147 sid_to_string(sid_string
, &info_sid
);
4149 if ((info
= get_samr_info_by_sid(&info_sid
)) == NULL
)
4150 return NT_STATUS_NO_MEMORY
;
4152 info
->acc_granted
= acc_granted
;
4154 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string
));
4156 /* check if that group really exists */
4157 if (!get_domain_group_from_sid(info
->sid
, &map
, MAPPING_WITHOUT_PRIV
))
4158 return NT_STATUS_NO_SUCH_GROUP
;
4160 /* get a (unique) handle. open a policy on it. */
4161 if (!create_policy_hnd(p
, &r_u
->pol
, free_samr_info
, (void *)info
))
4162 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
4164 return NT_STATUS_OK
;
4167 /*********************************************************************
4169 *********************************************************************/
4171 NTSTATUS
_samr_unknown_2d(pipes_struct
*p
, SAMR_Q_UNKNOWN_2D
*q_u
, SAMR_R_UNKNOWN_2D
*r_u
)
4173 DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n"));
4174 return NT_STATUS_NOT_IMPLEMENTED
;
4177 /*******************************************************************
4179 ********************************************************************/
4181 NTSTATUS
_samr_unknown_2e(pipes_struct
*p
, SAMR_Q_UNKNOWN_2E
*q_u
, SAMR_R_UNKNOWN_2E
*r_u
)
4183 struct samr_info
*info
= NULL
;
4185 uint32 min_pass_len
,pass_hist
,flag
;
4186 time_t u_expire
, u_min_age
;
4187 NTTIME nt_expire
, nt_min_age
;
4189 time_t u_lock_duration
, u_reset_time
;
4190 NTTIME nt_lock_duration
, nt_reset_time
;
4196 uint32 num_users
=0, num_groups
=0, num_aliases
=0;
4198 uint32 account_policy_temp
;
4200 if ((ctr
= (SAM_UNK_CTR
*)talloc_zero(p
->mem_ctx
, sizeof(SAM_UNK_CTR
))) == NULL
)
4201 return NT_STATUS_NO_MEMORY
;
4205 r_u
->status
= NT_STATUS_OK
;
4207 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__
));
4209 /* find the policy handle. open a policy on it. */
4210 if (!find_policy_by_hnd(p
, &q_u
->domain_pol
, (void **)&info
))
4211 return NT_STATUS_INVALID_HANDLE
;
4213 switch (q_u
->switch_value
) {
4215 account_policy_get(AP_MIN_PASSWORD_LEN
, &account_policy_temp
);
4216 min_pass_len
= account_policy_temp
;
4218 account_policy_get(AP_PASSWORD_HISTORY
, &account_policy_temp
);
4219 pass_hist
= account_policy_temp
;
4221 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS
, &account_policy_temp
);
4222 flag
= account_policy_temp
;
4224 account_policy_get(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
4225 u_expire
= account_policy_temp
;
4227 account_policy_get(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
4228 u_min_age
= account_policy_temp
;
4230 unix_to_nt_time_abs(&nt_expire
, u_expire
);
4231 unix_to_nt_time_abs(&nt_min_age
, u_min_age
);
4233 init_unk_info1(&ctr
->info
.inf1
, (uint16
)min_pass_len
, (uint16
)pass_hist
,
4234 flag
, nt_expire
, nt_min_age
);
4238 r_u
->status
=load_sampwd_entries(info
, ACB_NORMAL
);
4240 if (!NT_STATUS_IS_OK(r_u
->status
)) {
4241 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
4244 num_users
=info
->disp_info
.num_user_account
;
4247 r_u
->status
=load_group_domain_entries(info
, get_global_sam_sid());
4248 if (NT_STATUS_IS_ERR(r_u
->status
)) {
4249 DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
4252 num_groups
=info
->disp_info
.num_group_account
;
4255 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4256 init_unk_info2(&ctr
->info
.inf2
, global_myworkgroup
, global_myname
, (uint32
) time(NULL
),
4257 num_users
, num_groups
, num_aliases
);
4260 account_policy_get(AP_TIME_TO_LOGOUT
, &account_policy_temp
);
4261 u_logout
= account_policy_temp
;
4263 unix_to_nt_time_abs(&nt_logout
, u_logout
);
4265 init_unk_info3(&ctr
->info
.inf3
, nt_logout
);
4268 init_unk_info5(&ctr
->info
.inf5
, global_myname
);
4271 init_unk_info6(&ctr
->info
.inf6
);
4274 init_unk_info7(&ctr
->info
.inf7
);
4277 account_policy_get(AP_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
4278 u_lock_duration
= account_policy_temp
;
4280 account_policy_get(AP_RESET_COUNT_TIME
, &account_policy_temp
);
4281 u_reset_time
= account_policy_temp
;
4283 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
4284 lockout
= account_policy_temp
;
4286 unix_to_nt_time_abs(&nt_lock_duration
, u_lock_duration
);
4287 unix_to_nt_time_abs(&nt_reset_time
, u_reset_time
);
4289 init_unk_info12(&ctr
->info
.inf12
, nt_lock_duration
, nt_reset_time
, (uint16
)lockout
);
4292 return NT_STATUS_INVALID_INFO_CLASS
;
4295 init_samr_r_samr_unknown_2e(r_u
, q_u
->switch_value
, ctr
, NT_STATUS_OK
);
4297 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__
));
4302 /*******************************************************************
4304 ********************************************************************/
4306 NTSTATUS
_samr_set_dom_info(pipes_struct
*p
, SAMR_Q_SET_DOMAIN_INFO
*q_u
, SAMR_R_SET_DOMAIN_INFO
*r_u
)
4308 time_t u_expire
, u_min_age
;
4310 time_t u_lock_duration
, u_reset_time
;
4312 r_u
->status
= NT_STATUS_OK
;
4314 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__
));
4316 /* find the policy handle. open a policy on it. */
4317 if (!find_policy_by_hnd(p
, &q_u
->domain_pol
, NULL
))
4318 return NT_STATUS_INVALID_HANDLE
;
4320 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u
->switch_value
));
4322 switch (q_u
->switch_value
) {
4324 u_expire
=nt_time_to_unix_abs(&q_u
->ctr
->info
.inf1
.expire
);
4325 u_min_age
=nt_time_to_unix_abs(&q_u
->ctr
->info
.inf1
.min_passwordage
);
4327 account_policy_set(AP_MIN_PASSWORD_LEN
, (uint32
)q_u
->ctr
->info
.inf1
.min_length_password
);
4328 account_policy_set(AP_PASSWORD_HISTORY
, (uint32
)q_u
->ctr
->info
.inf1
.password_history
);
4329 account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS
, (uint32
)q_u
->ctr
->info
.inf1
.flag
);
4330 account_policy_set(AP_MAX_PASSWORD_AGE
, (int)u_expire
);
4331 account_policy_set(AP_MIN_PASSWORD_AGE
, (int)u_min_age
);
4336 u_logout
=nt_time_to_unix_abs(&q_u
->ctr
->info
.inf3
.logout
);
4337 account_policy_set(AP_TIME_TO_LOGOUT
, (int)u_logout
);
4346 u_lock_duration
=nt_time_to_unix_abs(&q_u
->ctr
->info
.inf12
.duration
);
4347 u_reset_time
=nt_time_to_unix_abs(&q_u
->ctr
->info
.inf12
.reset_count
);
4349 account_policy_set(AP_LOCK_ACCOUNT_DURATION
, (int)u_lock_duration
);
4350 account_policy_set(AP_RESET_COUNT_TIME
, (int)u_reset_time
);
4351 account_policy_set(AP_BAD_ATTEMPT_LOCKOUT
, (uint32
)q_u
->ctr
->info
.inf12
.bad_attempt_lockout
);
4354 return NT_STATUS_INVALID_INFO_CLASS
;
4357 init_samr_r_set_domain_info(r_u
, NT_STATUS_OK
);
4359 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__
));